Deploying a Successful Web Application II – The Importance of Security Testing

Relaying the analogy we drew with Moses and his tablet in the previous blog, this epochal moment is history also experienced a variety of other risks. Think of the Pharaohs who were headfast about disrupting Moses’ attempts to free his people as hackers constantly jeopardizing the security functions of a web application. Moses too fought back these attempts with the famed ten plagues and the sea of blood to deliver his people to safety.

How vulnerable are we?

Ok, so here is the reality check. North Korean hackers (allegedly) almost brought down Sony, the media corporation behemoth to its knees with sensitive data that they hacked in its system. Every data held online, every mail exchange between Sony employees through popular web applications like Gmail, hangout and others got captured. This was done to stop the release of a movie demeaning Kim Jong, but that’s another story. The fact is that anyone with a pc that’s online is vulnerable and multinational corporations that can’t do without them are at the edge constantly. According to Gartner, about 75% of attacks are tunneled through web applications and most of us are clueless over where these attacks come from.

So how important is security testing for web applications?

» Financial Benefit – Once a web application has been compromised, there are various repercussions that occur. The most important being the financial damage. In a scenario where a web application is hacked, there is damage at multi points. To begin with, the application could stop working in the middle of usage, it could leak sensitive data to hackers and to rectify all that there is the cost of recovering all the information and restoring the application to the original state.

Did you know that Computer security attacks cost as much as $10 billion a year according to popular site Computerworld?

» Gaining Trust from Customer – An interesting incident that one can recall is the sale of WhatsApp to Facebook. For many of us, WhatsApp has been the platform for messaging (RIP sms). With the acquisition by Facebook which could now access all the data from WhatsAppusers, there was a significant drop in users from Europe as people starting losing trust on WhatsApp. This gave rise to another twin called ‘Telegram’ which was more private and secure for users. In the same way, customers value proliferation of data a lot and the key to remaining relevant in the market is by gaining trust from the customer.

» Maintaining the Edge – With the adoption of the latest security measure for web applications, organizations can now brand themselves in being state-of-the-art web applications providers thereby giving them an edge from other competitors. This approach can significantly improve market share.

Examples of Vulnerabilities

Just to give you a heads-up, there are multiple ways of how hackers can get in. Before understanding how hackers can get in, it is important to understand the purpose of the activity. The intentions could range from fraud, data theft, phishing, identity theft, and defamation and so on.

There are a number of ways to achieve it, but understanding some of the most used hack attacks is an eye-opener towards the importance of web application security testing. Here are the top 3:

» SQL Injection – In short, data driven applications fear it.  The primary objective of this form of activity has been manipulation of DB information. It involves using malicious SQL statements into the entry field for execution via web page input which can compromise on the security of web application.

» Cross-Site Scripting (XSS) – Another form of threat, the XSS enables attackers to inject client-side script into Web pages viewed by other users. From private information compromise, cookie theft, execute malicious code and so on.

» Cookie Poisoning – In this technique a hacker could modify personal information in the target user’s system through cookies, this is primarily used for identity theft. The attacker could use the information to open new accounts or to gain access to the user’s existing accounts.

Your Web Application Security Action Plan

Here are the three guidelines that one must follow when implementing web application security action plan –

• Gaining Perspective Before implementing any plan, it is important to first perform audits and defect testing through the entire lifecycle of a web application. Regular audits and analysis should start from production applications where you can identify any possible risks. Furthermore, realize that the entire development lifecycle acts as a breeding ground for defects.  Perform comprehensive security tests through the process between development and QA to minimize costs and online contingencies.

• Communicating with the Stakeholders Few developers realize the significance of this stage within the action place. It is important that the client or business initiating the development is in the know of what these vulnerabilities are and whether or not there exist any elements of compliance exposure. Keep the stakeholders informed how the possible ways in which an attack can take place and provide the right guidelines for prevention as well as remediation. Taking into consideration the growing list of governmental and internal regulations, risk compliance requirements and R&D it is always recommended that your validate application risks through communication.

Finally, to be able to truly assess whether your risk assessment and mitigation process was successful, design a method of measuring factors of success and failures within the procedures that were implemented. Measuring and analyzing the scanned results can significantly help mitigate risks and liabilities introduced by implementing a web application.