According to the not-for-profit IT security association, the white paper – which is available to anyone upon registration via the main ISACA website – outlines the causes of web application vulnerabilities, examines the associated risk and impacts, and provides advice to mitigate the security risk involved.
The white paper – titled `Web Application Security: Business and Risk Considerations' – looks at the increasing use of web applications, which it says have soared recently, due to the significant value they can add to enterprises by providing innovative ways to interact with customers.
However, notes the guide, so have the dangers as, along with the benefits of these capabilities come security vulnerabilities that create dangerous risk and exposure.
Marc Vael, ISACA's director of the knowledge board and chairman of the association's cloud computing task force, said that organizations are performing more and more high-value or highly confidential transactions through the internet.
“But in many cases we notice that executive management is not (made) fully aware of the real security risks”, he said, adding that, on the contrary, managers tend to push hard to go ahead and launch the web solution(s), even when these are not properly tested.
“Thus a lot of assumptions and a false sense of trust reigns in many organizations on the security of their web applications, until it is too late”, he explained.
The ISACA paper notes that new web applications are client-server based and platform independent, require less computing power, and can be seamlessly integrated with online resources and services.
Their use, the guide notes, can result in time and cost reduction of processes, increased customer satisfaction, and increased revenue. However, against this backdrop, web application vulnerabilities open the door to the exploitation of sensitive corporate information, disruption of service and theft of intellectual property.
Common vulnerabilities identified in the white paper include SQL injection, cross-site scripting, insecure direct object reference, information leakage and insufficient anti-automation.
So what are the strategies for dealing with these issues? The paper recommends that security measures must be mandatory components that are included early in the process and that programmers must be trained in secure coding techniques. In addition, it recommends that there must be a robust quality assurance process in place to enforce continuous, controlled quality testing, and that deployed applications must be continuously monitored for newly discovered vulnerabilities.
Vael concluded that, in order to challenge the security expectations, ISACA recommends that IT professionals review theor web application security for all active solutions, in order to find out where it can be improved in a tangible manner.