In the previous blog, I described the new security tools and methodologies that IBM envisions – since then, I’ve been taking a closer look at the challenges executives and developers are encountering while trying to integrate security tools and processes into the software development lifecycle and have some interesting results to share!
Traditionally, organizations depend on perimeter controls to keep them secure. Unfortunately, network firewalls and network vulnerability scanners can not stop application-level attacks. By design, web applications allow outsiders to interact with an organization’s systems and data. This interaction passes through network defense mechanisms such as firewalls and network-based intrusion detection systems.
Studies indicate that 75 percent of attacks are now targeting web applications, and that these tend to be vulnerable to these types of attacks. Clearly, web application security can no longer be ignored.
From a technology perspective, the use of automated web application security tools is beneficial in scale and cost. An automated tool allows consistent, reliable and scalable examination of web application security vulnerabilities across large diverse environments. In addition, an automated tool can be used to provide consistent and relevant recommendations that are consistent with corporate policy and requirements.
From a process perspective, integrating web application security testing into the software development lifecycle is a key initiative for establishing good risk management. While this can and should be performed by a dedicated and knowledgeable security assessment team as part of the final review, it should also be integrated into the early stages of application development to focus on security issues as they appear and to save on time and cost.
Threats to web applications include but are not limited to:
- Cross-site scripting: 80% of web applications are vulnerable to this threat that would permit Impersonating another user
- SQL injection: 60% of web applications are vulnerable to this threat that would permit total data compromise
- Parameter tampering: 60% of web applications are vulnerable to this threat that would permit fraud and altering distributions
- Cookie poisoning: 40% of web applications are vulnerable to this threat that would open the door to stealing someone’s identity
The optimal web application testing tool would allow dedicated security auditors to provide detailed information around web application vulnerabilities as well as executive, management and developer reporting that is specifically designed for the role of the unique individual.
In the next blog, we will look at IBM Watchfire which is known as the best web application vulnerability assessment software.
In conclusion, Web Application Security Testing tools are becoming more integrated into the software development lifecycle. In my future blog, I would like to evaluate the best product in this category. IBM WatchFire AppScan happens the market leader in this space – much more to come!
Recent Comments