The annual Update to the SANS Top 20 list was published recently. This list compiles the top 20 security vulnerabilities in computer software per year. Web Applications stay at the pole position of the most common security vulnerabilities according to the SANS Institute (SysAdmin, Networking and Security).
The problem with Web Applications is that they have to be accessible from anywhere in the Internet. You cannot just secure Web Applications by telling a Firewall to filter out the bad guys because it is impossible to distinguish a normal user and a skilled attacker – you will inevitably fail.
The Web Applications itself must be air-tight when it comes to security. Unfortunately, preventing security vulnerabilities such as Cross Site Scripting (XSS) is not as easy as it sounds. In our security assessments, we regularly find XSS vulnerabilities amongst others in the target applications. And we find them within minutes after we get our hands on the customer's test system. Fixing XSS vulnerabilities is difficult as there seem to be many ways to mitigate the vulnerabilities for a developer layman. Unfortunately, only few of these ways fix XSS vulnerabilities once and for all. Others only prevent the proof-of-concept attacks that we communicate to the developers. This approach has the effect that slight modifications of the attack circumvent the alleged fix of the vulnerability. Our proof-of-concept attack does not work any more, but the vulnerability persists.
The key take away for you:
Certainly the most effective and efficient way to secure software applications is to bring in security experts right from start. This enables you to build your application on a secure foundation. Remember that you cannot test in security…
Abonnieren
Kommentare zum Post (Atom)
Keine Kommentare:
Kommentar veröffentlichen