According to a recent study by Scott + Scott, a law firm based in Connecticut, 85% of businesses in the U.S. have experienced some sort of data breach, a factor that places the personal information of millions of consumers at great risk. To no surprise, most of the companies involved in the study were exploited over the web with the leading cause being insecure servers and applications. These vulnerabilities are what result in the lost of bank account numbers, credit card details and Social Security numbers while putting billions of dollars in jeopardy. Although there are various security mechanisms available to limit these exploits, the typical components such as firewalls and intrusions detection systems simply aren’t enough.
Intruders are just as aware of the critical information that can be accessed through an application as the webmaster. In many cases, their entrance and overall success is attributed to numerous factors. Those conscious of the roaming threats typically monitor network perimeters with firewalls and intrusion detection systems. However, these components actually encourage exploits as they are required to keep ports 80 and 443 open to support SSL and protect online transactions. To an intruder, these ports are open doors that enable website attacks in a number of different ways. Most network firewalls are configured to secure only the internal perimeter, leaving the company open to a wide range of attacks. And while both intrusion prevention and detection systems are somewhat more effective, they don’t perform complete analysis of a packet’s contents. Without an additional layer of security, a knowledgeable intruder can penetrate a web application with relative ease.
An organization dedicated to improving the security of web-based applications, the OWASP (Open Web Application Security Project) recently composed a list of 10 of the most common vulnerabilities in today’s applications. The potential threats are associated with the following:
1. Cross site scripting
2. Server-side scripting errors
3. The execution of malicious code
4. Insecure direct object reference
5. Cross site request forgery
6. Improper error handling and data leakage
7. Penetration of authentication and session management
8. Vulnerable cryptographic storage
9. Insecure web communications
10. Failure to restrict write permissions and URL access
The WASC Web Application Security Consortium have validated the OWASP’s top five application vulnerabilities with the testing of 31,373 sites. Additionally, the Gartner Group reports that 97% of more than 300 sites studied in a survey were found to be vulnerable to application attacks. The same study also revealed that 75% of today’s web attacks occur at the application level.
The numbers indicate that most E-commerce sites are easy targets for an array of attacks. While proper coding is the key to prevention, one of the best methods of defense against application exploits is a web application scanner. This type of mechanism protects both applications and servers from intruders by crawling through the site and analyzing every piece of content. Such products conduct various tests along with simulated application attacks throughout the scanning process. If genuine security holes are detected, reports are made and detail the severity of each vulnerability. Security experts recommend using a scanner that offers a technical, in depth explanation of each vulnerability detected along with appropriate suggestions for eradicating them.