Why are Web applications out of the loop when it comes to contingency planning? Look at any given security incident response or disaster recovery plan (assuming they even exist) and chances are business critical Web applications and related systems are missing. At least that’s what I’m seeing.
So let me get this straight, Web applications are 1) front and center in most businesses’ Internet presence and IT operations, 2) often have multiple holes that can be exploited for ill-gotten gains, and 3) would likely impact the bottom line if they became unavailable for any given period of time. Yet network managers and security administrators continue to focus their efforts on the network infrastructure. If a breach occurs or an unplanned outage takes place, then by golly the network perimeter isn’t going anywhere. The VPN will stay live, critical internal servers will fail over as planned, and most certainly email’s not going away! Everything is good – well, almost everything.
But what about Web applications? With both external and internal components which would undoubtedly be affected during an incident or disaster are we just going to cross that bridge when we get there? Some may rebut this statement by claiming “Our applications are hosted by a third-party and they have a SAS 70 audit every year so we’re good.” Seriously!? I’ve actually heard this before – from several people in businesses large and small across various industries. I understand that vendors love to tout SAS 70 audits and lawyers like to defer risk to third-parties when they can. But when something bad arises, there’s no audit report, contract, or SLA in the world that’s going to get your business out of a bind. No such document will clean up your business’s tarnished image and nor will it bear the burden of the additional hours that IT, customer service, and others inside your organization will likely have to take on.
My point is, get more involved with your Web applications regardless of where they’re located. A hack, a tornado, you name it will be your problem when it occurs. Be sure to include not only the technical side of your Web applications in your ongoing security tests but also the operational side as well. If you look hard enough you’ll likely find your business is a seemingly small incident away from getting into it real deep.
Keep in mind that most contingency plans (again, assuming they exist in the first place) fail due to lack of sufficient breadth, lack of organization, lack of maintenance, and lack of testing and subsequent refinement. Maybe over the next six months you continue on with your Web vulnerability scans (you’ve got to have them) but perhaps you focus more of your efforts of the soft side of the equation. Risks in that area can surely bite just as hard.