5 reasons why web apps are so frequently insecure

[Inga Goddijn <inga () riskbasedsecurity com>]

http://betanews.com/2015/12/09/5-reasons-why-web-apps-are-so-frequently-insecure/

The unrelenting move to the cloud means that web apps are becoming ever
more common. They have also increasingly become targets for hackers and
this is often because of security failings; many of the recent high-profile
security breaches have come about because of web app security
vulnerabilities.

Ilia Kolochenko, CEO of High-Tech Bridge suggests a quintet of things
companies do -- or fail to do, that make the life of hackers easier.

*1. Underestimation of Risks and Threats Related to Insecure Web
Applications*

Many large companies and international organizations still seriously
underestimate the value of their web applications, and have their security
as the lowest priority in their risk management. And I am not even speaking
about complicated SSRF or application logic flaws, but at least about
proper detection and remediation of OWASP Top Ten vulnerabilities.

As we can see from the beginning of this article, companies just don’t
realize that a vulnerable website is a perfect vector to start an APT
without spending much money on it.

*2. Lack of Continuous Monitoring*

Web technologies are constantly evolving, and what is secure today may
become vulnerable tonight. Therefore, a quarterly scan and annual pen test
to achieve PCI DSS compliance is not enough anymore to stay ahead of
hackers. Many companies do not perceive web application security as a
continuous process, but rather as a one-time audit, putting their web
infrastructure and related back-end at critical risk.

*3. Missing or Poorly-Implemented Secure Software Development Life Cycle
(S-SDLC)*

In spite of a plethora of guidelines and standards of secure software
development in existence today, many companies still ignore them due to
high complexity or expense of implementation. The situation is even worse
in companies where software development teams have existed for years -- as
any change to well-established [but insecure] procedures will be met with
hostility, as nobody wants to spend additional time on software security if
not paid additionally for it.

*4. Dominance of Business Needs Over Security Processes*

Data breaches via insecure web applications regularly occur even in
companies where S-SDLC is mature and well integrated into a company’s daily
business processes. The consequences of the financial crisis of 2009 are
still here -- many companies suffer from sluggish demand and very tough
global competition. Often business requires a new feature to be done in few
hours on Friday evening to outperform a competitor -- of course, we can
forget about security when such pressure occurs.

Nevertheless, it’s the business who pays the salaries to developers and
infosec folks, and it’s always the business who has the last word. However,
it's also the business who shall be ready to take the responsibility for a
new data breach and related costs.

*5. Ignorance of Third-Party Risks*

Many companies start introducing thorough security and compliance
guidelines for their third-party suppliers and partners, however they often
fail to mention proper web application security with them. As a result,
attackers can compromise a website of your long-time supplier, consultant
or partner, and instead of hosting malware on your website -- they host it
on a trusted-party website, achieving the same result at the end.

Jan Schreuder, partner, cybersecurity leader from PwC Switzerland, says:
"Recently we've seen many organizations attacked through sophisticated
cyber attacks on their supply chain partners. With global supply chains
becoming more and more digital and interconnected, establishing trust in
your supply chain is becoming more challenging all the time".

As paying for an anti-smoking patch is much cheaper and less dramatic than
spending a six-digit amount on cancer treatment, spending on preventive web
application security is much more cost-effective and less painful than
paying for APT forensics. Therefore, if you are currently finalizing your
cybersecurity budget for 2016 -- don’t forget about proper web application
security, not just vulnerability scanning.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!