I recently took some time off which gave me the opportunity to clear my head and think about some of the big issues we’re facing with Internet security. I thought if I had to pick one thing, what would be the greatest Web vulnerability out there? Then, of course, my over-analytical mind kicked in and the internal debates arose. I realized that there’s much more to this puzzle. There are technical flaws, there are operational issues, and there are user concerns – all of which contribute to or, depending on your perspective, take away from Web security.

After thinking about it some more I realized that I could indeed come up with one thing that causes the most problems on the Web. That one thing is ignorance. Not to be demeaning but rather to highlight the state of mind of those in control. From executives who control the purse strings and business culture to government bureaucrats who write the regulations to users who have the power in their hands to screw up and get themselves and your business into a bind, there are so many problems with Web security that could be fixed if we just had the attention and the buy-in of the people.

Ignorance of the issues is at the root of practically every Web vulnerability we face. Be it the technical flaws such as SQL injection and cross-site scripting or operational issues such as no standards and lack of vulnerability testing, we’re just not where we need to be with Web security. And unless and until we focus on the right target, we’ll continue to struggle with Web security. It’ll be a continuous loop of 1) develop code, 2) deploy system, 3) experience a breach or fail an audit/assessment, 4) track down the why and how of the flaws, 4) fix the flaws, 5) start all over again.

I understand that quality is a continual process. Be it with automobiles, healthcare, clothing – whatever – we have to learn from and improve upon our mistakes. That’s the way things work in most industries. I just don’t think we’re anywhere near this phase of the game when it comes to IT, software development, and information security.

Web security – and information security in general – is a choice and you simply cannot change what you tolerate. It’s time to stop ignoring the realities of what’s taking place once and for all. Anyone in management hearing this?

Kevin Beaver

Kevin is an information security consultant with 30 years experience, providing independent security assessments and penetration tests, security consulting and virtual CISO services, writing and security content development, and speaking engagements keynotes, panel discussions, and webinars.

  • Well said, i totally agree with you.

  • Thanks Ricardo…I’m guessing that one of these days we’ll be able to get past these issues – but it might not be during our working lifetimes.

  • RFI(Remote File Inclusion) and LFI(Local File Inclusion) seems to be blooming recently.

  • It’s all right. But this happy world of total secure web applications will only be real in the lollipop land.

    In real world, if i need to develop, deploy, test security and start again into an “infinite” loop, i need to put the high costs of this into the client. If the client has a cheaper offer (no matter if less secure, they will not tell him, perhaps becouse they don’t know it) from another firm, he will choose it. What to do? Lose all this clients and stop eat, thinking in the great service i’m doing to WEB?

    Security first, or money first? Well come to capitalism!

  • Tomasofen – I totally agree. I don’t like it either when non-technical people who don’t really understand the issues make broad claims about Web security. As you said, there’s no such thing as “total secure web applications”. I love the Capitalism bit. Being a lover of freedom and Capitalism myself I say let the market work out which developers, software companies, and cloud providers who pull their heads out of the sand and build their reputations to earn the business ultimately prevail!

  • I agree, Kevin. Most companies focus on decreasing their “time to market” — usually at the expense of security. As more applications move to the cloud and are globally accessible, companies need to perform their due diligence and bake security into their development lifecycles. This will ensure that security is implemented and understood as a normal part of the process — not an additional task that creates resistance.

  • Comments are closed.