It’s that time of year for us to get inundated with all those Top 10 lists to help us achieve this, prevent that and so on. Those lists are valuable indeed, especially if you need some motivation to get your year started off on the right foot. So, in the same vein, I thought I’d put together a list of things you (and management) can do in order to experience the splendor of a Web-related security breach in the New Year. Some are technical issues, some operational; here they are in no particular order:

1.       Don’t bother enforcing strong passwords or intruder lockout in your application. They’ll just get in the way of your users and lead to increased customer support calls.

2.       Put a Web application firewall in place to cover up known SQL injection issues and similar problems.

3.       Ignore those oracle padding vulnerabilities that keep cropping up. Someone will probably patch the server eventually anyway.

4.       Use production data in development, QA, and staging – especially if it contains PII. Ideally, keep your development and QA servers unhardened with no patches, weak/default passwords, and open server shares to assist malicious insiders gain access. A well-positioned staging server with a similar configuration accessible via the Internet is good too.

5.       Assume, like many others, that Web-based malware couldn’t really affect your code. An added benefit would be to not install anti-malware software on your servers. It’ll just slow them down.

6.       Web services are hidden from hackers so there’s no need to test how they hold up to attacks.

7.       Don’t manually test your applications for flaws or even bother to validate what your Web vulnerability scanner turns up. It just takes too much time and requires too much brain power.

8.       Rely on vendor promises that your systems are secure in their facilities. This is especially true if they have one of those SAS 70 Type II audit reports that people are oh so eager to hand out when questioned about security.

9.       If you’re lucky enough to have a lawyer representing your business, let him or her handle all the contractual stuff affecting your Web presence. From hosting SLAs to software development contracts, legal counsel should be trusted to do the right things for the business without getting IT involved.

10.   Focus your efforts on pleasing your compliance manager and internal or external auditors. As long as they’re happy that’s usually a good indicator of overall security health.

Seriously folks, these are actual issues I’ve seen in my work but obviously they’re things you should strive to avoid. Whatever your perspective, Web application security is a mine field to say the least so watch where you step. Here’s to a great – and secure – New Year!

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.