Most web apps are open doors to hackers, says eCybersec

Tuesday, 17 June 2014 00:00 - - {{hitsCtrl.values.hits}}

Web applications are often an open door to hackers, according to Sanjee Balasuriya, MD & CEO of eCybersec Ltd. Despite being a key tool for many organisations for handling communications and transactions, web applications are seldom secure by design. Web hacking today is very simple to perform. The term ‘script kiddy’ describes the issue well – people with only the bare minimum of hacking skills are able to easily compromise poorly protected websites for a small profit, for recognition or just for fun. It’s far from heap overflow exploitation in modern operating systems with numerous built-in protection mechanisms that the attacker has to by-pass to execute arbitrary code on a vulnerable system. Of course, advanced web hacking techniques exist, but unfortunately many websites contain pedestrian XSS and SQL injection vulnerabilities that can be easily exploited. Automated solutions (eg vulnerability scanners) can detect many types of web vulnerabilities, but are far from perfect – despite the great progress made in scanning techniques over the last decade. This means developing web application exploits is relatively easy with readily available tools, making them a popular entry point for attackers seeking high-value data. “Many are still vulnerable to SQL injection attacks, for example, meaning they can be exploited in minutes, even though this vulnerability is well known and mitigations well documented,” he said. SQL injection is believed to enable around 80% of breaches involving web applications and enables attackers to carry out a wide range of malicious activity, including malware distribution and data theft. “All the data centre security in world is meaningless if organisations are leaving their front doors wide open by failing to secure web applications. Balasuriya further emphasised that there is no single way of tackling the problem. “Web application security requires a multi-faceted approach,” he said. While the majority of enterprises understand the value in using an SSDLC (Secure Software Development Life Cycle) methodology to develop more secure applications, many struggle with the challenges of implementing the fixes for vulnerabilities identified during the testing process. Continuous web application security testing which involving human techniques would help to mitigate such application attacks. eCybersec Application Security Services allows developers without security knowledge to quickly and easily add the power of a sophisticated real-time security engine to applications, actively preventing the most prevalent and dangerous application security threats: cross-site scripting (XSS), SQL injection and cross-site request forgery (CSRF).Sometimes developers are working 24/7 to release a new feature in a web application before a competitor does, leaving the IT security team unable to test application security in time. This is apart from the fact that independent security testing should be an integral part of the software development life-cycle. Developers and security teams are under constant pressure to release new applications and features on time, at the lowest cost and with no vulnerabilities. Most enterprises practice some form of secure SDLC but the cycle usually breaks because of too many false positives and the lack of knowledge to remediate identified vulnerabilities. We as an Application Security consulting company make sure that our critical clients will have peace of mind with their web applications. eCybersec one of the leading Information Security Consultancy company in Sri Lanka & provides many IT Security managed services to top Corporate customers.