The complexity of a web application securityWhen we talk about Web security, we typically think about the common OWASP-type elements: SQL injection, cross-site scripting, passwords, encryption and the like. That’s fine but those areas can’t be our only focus. There’s so much more to managing information risks that’s often overlooked.

Ask any information security manager or compliance officer and they’ll likely tell you that Web application security falls under the overall information risk umbrella. Along with network infrastructure security, endpoint security, physical security and so on; Web application security is a critical piece of the overall puzzle.

Looking at the big compliance regulations such as PCI DSS, HIPAA/HITECH and GLBA, they all cover information security best practices including:

  • Policies
  • Awareness and training
  • Authentication
  • Access controls
  • System monitoring and activity review
  • Incident response
  • Disaster recovery

The same can goes for information security standards such as ISO/IEC 27002, NIST 800-53, etc.

Interestingly though, when it comes to Web application security, we often stop at the application-centric issues. We find and fix the SQL injection, cross-site scripting and other technical flaws and assume that’s all that’s needed for true Web application security. The reality is these other information security best practices – the non-sexy stuff like policies, audit logging and incident response – can be tied directly to Web application security.

Web application security shouldn’t stop prematurely with the technical issues. No business can afford to take that on. It’s up to us as IT, security and software development professionals to ensure Web application security is addressed at all levels.

Does your business have security policies?
If so, ensure your Web applications fall within their scope.

Do you use identity and access management processes and technologies?
If so, ensure your Web applications fall within their scope.

Does your business have security incident response and disaster recovery plans?
If so, ensure your Web applications fall within their scope.

Don’t manage information security risks in silos. That’s not a good long-term strategy. It’s not good for you, your business or anything related to what we do in IT.

Web applications are arguably one of the highest-risk components of any information security program and need to be handled accordingly. Make Web application security a big deal in your business…It is.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.