According to SANS (2009) attacks against websites and web applications constitute more than 60% of total attacks observed on the internet. The risk of attack is generally based on the probability that a threat of some kind will exploit a vulnerability or weakness in a system or network. In recent years risks have been taken more seriously with many businesses that conduct online activities. As a software developer for a management consultancy firm here in the Washington DC area, it is my job to write software that is secure and safe to use at federal agencies. Our organization’s I.T. department enforces strict policies in hosting web applications. Our hosting team is routinely carrying out security testing, which involves testing the software to ensure that it will “continue to function correctly under malicious attack” McGraw (2010).
In my experience a risk is any chance that one of our systems will come under attack, whether for destructive purposes or to steal sensitive data. Whether or not an attack is successful depends on vulnerabilities, which provide opportunities to the cybercriminal. The most common vulnerability in web applications stems from a lack of validation or sanitization of data sent to a web application in the form of malicious code. Bergeron et al. (2001) describe malicious code as “pieces of code that can affect the secrecy, the integrity, the data and control flow, and the functionality of a system.” The two most common attacks come in the form of cross-site scripting and SQL server injections, which take advantage of vulnerabilities in the systems they target. As a developer I continually try to keep myself updated on the most common security vulnerabilities inherent of web applications. The major threats we face as an organization are attacks from individuals or groups who seek to steal sensitive data, either for profit or ulterior reasons. It is therefore essential that the development, system administration and management teams are all aware of these threats, which affect overall awareness of potential vulnerabilities to take action and mitigate risk.
References:
- Bergeron, J., Debbabi, M., Desharnais, J. Erhuioui, M., Lavoie, Y., & Tawbi, N. (2001) Static detection of melicious code in executed programs. Int. J of Req. Eng. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.102.6845&rep=rep1&type=pdf
- McGraw, G. (2004). Software Security. Security and Privacy, IEEE, pp. 80-83, March/April, 2004
- SANS (2009). The Top Cyber Security Risks. Computer Security Training, Network Research & Resources. Retrieved from http://www.sans.org/top-cyber-security-risks/
