Skip naar inhoud

Can a web app ever be truly secure?

Wilt u deze bijdrage aanbevelen? Dat kan via:

Despite the wealth of vulnerability detection tools and practices, there remains a vast array of web application security breaches
Given the devastating consequences of a vulnerability breach – including loss of trust, brand damage and financial sanctions – it is perhaps no surprise how much software security is talked about and worried over.
Secure applications and data privacy are regularly a top-level concern of all organisations, no matter their market sector, size or geography. Barracuda’s State of application security in 2021 report surveyed 750 application security decision-makers representing organisations with 500 or more employees globally from the US, Europe and the Asia Pacific region. It points conclusively to the vulnerabilities of web applications when it comes to the breaches that organisations experience through their software applications.

This is not a surprising outcome given the dominance of web applications and the global transition to remote, online working. But web applications have been a constant source of vulnerability since the early days of the internet. The rise of rich internet applications, paving the way for intuitive, any time, anywhere engagements on any device has exacerbated the situation.

The reality is that web applications present too easy a vulnerability point because of what development teams do – and don’t do. There are too many basic security vulnerabilities because development teams and their security auditors leave themselves wide open. For example, by not covering up the tracks to common folder locations where sensitive information can be obtained, they allow an enterprising hacker to gain easy access.

Disconnects in the security posture between different teams present gaps that can be exploited. For too many organisations, there is still too little sharing of either the security policies or the checklist of common vulnerabilities on which teams are regularly caught out.

We know that the landscape of attack vectors is constantly changing. Barracuda’s survey highlighted bot attacks, API security and software supply chain attacks. But there is a list of golden oldies that continue to be stubbornly prevalent – cross-site scripting, cookie poisoning, session hijacking, credential stuffing and SQL injection, to name but a few.

It is hard not to be critical of the developers of web applications. There are, after all, numerous studies pointing to their culpability in building in or leaving vulnerabilities. Yet, they are aware of the importance of making web applications secure, given that these apps are such a common access point for cyber crimes.

For all those who care about meeting the expectations of clients, whether they are inside or outside the organization, one of your top priorities should be to reduce risk in the web applications you develop.

There are many suppliers that can provide tools and audit services that can take web application security and privacy to a higher order of operation and robustness. The numerous products built on open source support provide cost-effective access. A strong testing regime is essential. This needs to be underwritten by automated support to allow for more effective and faster test coverage.

Two important bodies, the SANS Institute and OWASP, have worldwide recognition in monitoring and providing the leading security checklists for web application design. OWASP has embarked on a secure headers project that delivers HTTP response header descriptions that, if used, will help increase the security of applications.

Behind the need for security education, training, tools and best practices lies a simple fact: continuous checking not only helps to plug the gaps, it also creates an environment for speedy detection and resolution.

Enlightenment comes from knowing that vulnerabilities will always exist because nothing is infallible. Ultimately, giving development and security teams the time and space to regularly check with the right best practices and tools in place will reinforce the security of web applications considerably.

Lees ook:

Help een jongere zijn studie door, doneer nu je oude laptop.

Het zal u vast nog niet ontgaan zijn, maar door de hoge inflatie is alles duurder geworden. In sommige gevallen zelfs te duur, zoals een nieuwe laptop voor een studie.

Wat wil en wenst de ontwikkelaar?

In een krappe ict-arbeidsmarkt is het voor werkgevers interessant te weten wat er onder ontwikkelaars leeft. Bedrijven die de juiste tools bieden, hebben een streepje voor. Een internationaal onderzoek onder ruim zeventigduizend ontwikkelaars uit de Stack Overflow-community geeft inzicht in de trends. Dit rapport is bij recruiters dan ook niet onopgemerkt gebleven. Ze krijgen zo een beeld van hoe developers leren en meer kennis vergaren, welke tools ze gebruiken en waaraan ze behoefte hebben.

TNO: Europa kan tech-overmacht VS en China doorbreken

Zet vol in op de ontwikkeling van 6G, maak Gaia-X volwassen, loop voorop met edge computing en omarm open technologie. Dit zijn enkele aanbevelingen van TNO om in Europa de overheersing van Big Tech en Chinese (5G-)bedrijven te doorbreken.

Subpostmaster campaigning forces government to set up compensation scheme and make interim payments

Subpostmaster campaign group is a step closer to achieving what it was originally set up to do as government launches compensation scheme for its members who did not receive fair payouts

Advies: wacht met 3,5 GHz tot Inmarsat weg is

Het duurt waarschijnlijk tot eind 2023 voordat de 3,5-GHz-frequentieband beschikbaar komt voor openbare mobiele-communicatiediensten. Er is weliswaar veel vraag naar extra frequentieruimte, maar op de daarvoor afgesproken 3,5-GHz-band kan dat storen met noodoproepen van de lucht- en zeevaart. Het ministerie krijgt het advies te wachten totdat satellietbedrijf Inmarsat is verhuisd van het Friese Burum naar Griekenland.

Na sase komt sse (security service edge)

Security service edge (sse) is de evolutie van het sase-framework van Gartner. Door de letter ‘A’ (voor ’access) te verwijderen, wordt duidelijk dat het netwerk niet langer wordt beschouwd als onderdeel van een beveiligingsoplossing. Het is slechts het mechanisme dat de datastromen naar het security- en controleplatform transporteert.

Wilt u deze bijdrage aanbevelen? Dat kan via:

Klaar voor de beste oplossing voor uw IT & ICT-situatie?

Ik heb mijn wachtwoord gewijzigd in “onjuist.” Dus wanneer ik vergeet wat het is, zal de computer zeggen: “Uw wachtwoord is onjuist.”