The Significance of Web Applications Security
Here are key reasons to justify web application security investments:Compliance
Some security controls are mandated by government regulation, industry standards/requirements, or contractual agreements. Compliance can be split into three separate justifications- mandated controls (PCI web application security requirements), non-mandated controls that avoid other compliance violations (data protection to avoid a breach disclosure), and investments to reduce the costs of compliance (lower audit costs or TCO). The average organization utilizes all three factors to determine investments in web application security.One of the mandated controls is the Payment Card Industry (PCI) Data Security Standard (DSS), a set of data security requirements applying to organizations that store, process or transmit credit/debit card information. Validation of compliance with PCI requirements is an important part of safeguarding card-holder data, and the organization’s reputation.
Cost Savings
Some web application security controls can reduce your cost of
compliance, especially audit costs, but there are additional
opportunities for savings. Web application security tools and processes
during the development and maintenance stages of the application can
reduce costs of manual processes or controls. In addition, there are
direct costs associated with breach notifications when sensitive
information is involved, such as setting up call centers for customer
inquiries. Availability
When dealing with web applications, we should look at both total availability (direct uptime), and service availability (loss of part of the application due to attack, or the time to repair a defect). In addition, due to an active attack a site may need to shut down some of its services to protect users.User Protection
While user protection itself is not quantifiable, a major justification for investment in web security is to retain users’ trust in the enterprise. Attackers frequently use trusted sites to attack connected users, resulting in loss of trust in the organization itself. Many models are available that attempt to quantify potential losses due to reputation damage, but there is no accurate way to measure secondary losses associated with a successful attack.
Reputation damage
customers
that visit a website and see that it doesn’t prevent attacks
like
cross-site scripting don’t stay in the site.
Additionally, attackers
often publish the websites that they have hacked.
Protection Challenges
Currently, web applications commonly use SSL-encrypted traffic when
submitting sensitive information over the web. IDS/IPS are incapable of
decrypting and inspecting SSL-encrypted traffic. Hackers take advantage
of this limitation and by hiding their attacks in SSL-encrypted
traffic, they can enter a network undetected. As a solution, some
enterprises terminate SSL sessions (before IDS/IPS analyze the
traffic), block malicious traffic, re-encrypt legitimate traffic and
pass it on. This, however, introduces latency into the network.Another issue is session-tracking. Session-tracking code must be added by application developers working with stateless HTTP. Teams that are under pressure of time-to-market deadlines do not securitize the software, opening the door to session hijacking or cookie poisoning attacks.