Application Risk Assessments  


One of the most critical sources of risk to organizations today resides within their Web servers. This is because Web servers and applications open systems and information for access by suppliers, partners, and customers.

Performing a security risk assessment and implementing adequate security risk management policies in this area can be critical. Compromised Web servers can damage organizations in many ways, from surrendering customer data and accepting fraudulent transactions to indirectly damaging corporate reputation as the result of a defaced homepage.

While it may seem that a myriad of bad things can happen as the result of a million different vulnerabilities, we can succinctly categorize the core ‘points of pain’ to be addressed in your Web security risk management plan in a few primary areas:

• Default configuration
  Web servers often are installed with default configurations that may not be secure. These insecurities include unnecessary samples and templates, administrative tools, and predictable locations of utilities used to manage servers.
  
  
• User input validation
  To be considered useful Web sites and applications must be interactive. However, Web applications that do not perform sufficient validation of user input screens allow hackers to directly attack the Web server and its sensitive databases. Invalid input leads to many of the most popular attacks.
  
  
• Encryption
  It is a sad fact that although modern encryption algorithms are virtually unbreakable, they are underutilized. In years past, performance considerations were cited as a factor in limited usage of encryption. However, today’s high-performing CPUs and specialized cryptographic accelerators have broken down the price/performance barriers related to encryption. The issue with limited encryption has more to do with poor application design and a lack of awareness among developers.
  
  
• Session management
  Another factor one should consider when developing a security risk management plan is that many Web applications do a poor job of managing unique user sessions. This can include using weak authentication methods, poor cookie management, failure to create session timeouts, and other session weaknesses. This often leads to session hijacking and other compromises of legitimate user identities.
  
  
• Maintenance
  Failure to implement security risk management policies that keep Web servers updated with the latest vendor patches, as well as neglecting to perform continued testing of proprietary Web applications, creates additional risk.

Usually all of these issues are the result of improper due care within the Web application development and maintenance process. In organizations where security is not ‘baked in’ to both the business planning and application development processes, there can be an appalling lack of awareness of the need to incorporate security best practices from day one. This is a dangerous situation, and the results of the general lack of awareness about the risks associated with Web servers and applications are evident from the weekly headlines reporting stolen consumer and corporate information.

The best way to avoid such disasters is to establish an ongoing security risk management process that begins with quantifying the value of Web applications, as well as the data they manage, through a complete security risk assessment. Organizations then must continuously identify and mitigate the vulnerabilities and risks associated with those systems from the beginning and throughout their lifecycle: from development through production.

This approach to security risk management—consistently performing a security risk assessment, then identifying and remedying vulnerabilities by correcting application development errors, applying security patches, and fixing system misconfigurations—will lead organizations to continuous improvement of their business-technology infrastructure and a thorough reduction of risk.

 Assessment Services  

• Global IT Security Assessments
• Enterprise IT Risk Assessments
• Application Risk Assessments
• Policy Development