Web applications are essentially, the building blocks of any web-based information system. The phenomenal growth of web-based activities on one hand, and the outbreak of severe web-based security threats on the other, prompts IT managers to have a thorough and state-of-the-art security mechanism to secure web applications. However, it is common for system administrators or IT managers to have some `point security solutions' in place, and/or conduct annual security audits and remain complacent about the security of their web applications. This paper highlights certain myths and realities of the web application security approaches.
Over
the past decade and a half, more and more businesses, globally, are building their
operations on the information `super highway' or World Wide Web or the Internet.
The benefits of having web presence and ubiquity of web tools and applications
have wooed both, small and big companies to jump on to the network of silicon
chips to deliver more value to their customers and create wealth for their owners.
While this has made the front-end very simple in carrying out business, the back-end
delivering the application on the Internet has still lot of complexity and challenges.
These web-based businesses run on a mesh of hundreds and thousands of web applications,
distributed across various networks and physical locations to generate, use, communicate
and share tons of information on the public network. With the wealth of information
moving back and forth on web, the web applications are seriously exposed to a
world of security threats like malicious code strolling on the network, targeted
attacks by hackers, cyber terrorism, etc. Hence, protecting information accuracy,
confidentiality and accessibility without disturbing its continuous flow, to-fro,
different networks and applications become paramount. The importance of information
security need not be overemphasized, especially when there are reports of security
breaches every day and various regulations, like HIPAA, Sarbanes-Oxley etc, mandating
organization to ensure thorough information security in their business environments.
For
a typical web-based (technologies)information systems, web applications provide
touch points to internal and external parties to communicate to corporate database
and several other resources, which hold critical data about customers, products,
processes, etc. In other words, web applications provide a gateway to access internal
resources of an information system (Figure 1). As organizations are tightening
security of their network periphery, hackers are focusing on weaker targets like,
the web applications. Further, most e-commerce sites update (i.e., change source
code) their web applications frequently to accommodate changing business functions
and product related information. These frequent changes in source code coupled
with stringent time to market deadlines increases the possibility of security
holes creeping into the application, leaving it susceptible to hacker attacks.
This implies that any vulnerability in web applications can prove to be dangerous,
in a sense that hackers can exploit those vulnerabilities to intrude into corporate
database and create havoc (frauds, site hijacking, identity theft etc.) |
