ISACA offers new advice on web application security strategies

Marc Vael, director of the Knowledge Board and Chairman of the Cloud Computing Task Force at ISACA, makes the point that the use of web applications has soared recently, due to the significant value they can add to enterprises. However, so have the dangers. Entitled Web Application Security: Business and Risk Considerations, ISACA's new white paper applies to all types of software development activities. "Organisations are performing more and more high-value or highly confidential transactions through the Internet, thanks to the many new opportunities and benefits. But in many cases we notice that executive management is not fully aware of the real security risks," comments Vael. "On the contrary, managers tend to push hard to go ahead and launch the web solutions, even when these are not properly tested. Thus, a lot of assumptions and a false sense of trust reigns in many organisations on the security of their web applications, until it is too late," he adds. However, web application vulnerabilities open the door to the exploitation of sensitive corporate information, disruption of service and theft of intellectual property, he says, citing SQL injection, cross-site scripting, insecure direct object reference, information leakage and insufficient anti-automation. Key strategies suggested for addressing web application risk in ISACA's new guidance include: security measures must be mandatory components; programmers must be trained in secure coding techniques; robust quality assurance process must be in place; deployed applications must be continuously monitored for newly discovered vulnerabilities; and decisive action must be taken to address vulnerabilities found. "In order to challenge the security expectations, ISACA highly recommends [you] review the web application security for all active solutions in order to find out where it can be improved in a tangible manner," advises Vael.