The complexity of a web application securityWhen we talk about Web security, we typically think about the common OWASP-type elements: SQL injection, cross-site scripting, passwords, encryption and the like. That’s fine but those areas can’t be our only focus. There’s so much more to managing information risks that’s often overlooked.

Ask any information security manager or compliance officer and they’ll likely tell you that Web application security falls under the overall information risk umbrella. Along with network infrastructure security, endpoint security, physical security and so on; Web application security is a critical piece of the overall puzzle.

Looking at the big compliance regulations such as PCI DSS, HIPAA/HITECH and GLBA, they all cover information security best practices including:

  • Policies
  • Awareness and training
  • Authentication
  • Access controls
  • System monitoring and activity review
  • Incident response
  • Disaster recovery

The same can goes for information security standards such as ISO/IEC 27002, NIST 800-53, etc.

Interestingly though, when it comes to Web application security, we often stop at the application-centric issues. We find and fix the SQL injection, cross-site scripting and other technical flaws and assume that’s all that’s needed for true Web application security. The reality is these other information security best practices – the non-sexy stuff like policies, audit logging and incident response – can be tied directly to Web application security.

Web application security shouldn’t stop prematurely with the technical issues. No business can afford to take that on. It’s up to us as IT, security and software development professionals to ensure Web application security is addressed at all levels.

Does your business have security policies?
If so, ensure your Web applications fall within their scope.

Do you use identity and access management processes and technologies?
If so, ensure your Web applications fall within their scope.

Does your business have security incident response and disaster recovery plans?
If so, ensure your Web applications fall within their scope.

Don’t manage information security risks in silos. That’s not a good long-term strategy. It’s not good for you, your business or anything related to what we do in IT.

Web applications are arguably one of the highest-risk components of any information security program and need to be handled accordingly. Make Web application security a big deal in your business…It is.

Kevin Beaver

Kevin is an information security consultant with 30 years experience, providing independent security assessments and penetration tests, security consulting and virtual CISO services, writing and security content development, and speaking engagements keynotes, panel discussions, and webinars.