Samuel Johnson, an 18th century lexicographer, once said “The chains of habit are too weak to be felt until they are too strong to be broken.” That’s precisely what we’re seeing with web security today. We get caught up in our day-to-day work and the big web security issues sneak up on us until one day we realize we have a crisis on our hands and then wonder how it all came about.

The funny thing is, we know the common vulnerabilities associated with web security: SQL injection, cross-site scripting, weak session management, and the like. We also have the tools to uncover these flaws and detect the exploits. Yet we often don’t take the time to look behind the scenes at what’s actually causing the problems to begin with.

You’ll find that the root causes are not some far-reaching technical dilemmas but rather issues brought on by living, breathing beings with hair on top. Here are six core causes of web security risks impacting practically every business today along with what needs to be done:

1.      Ignoring where your sensitive information is processed and stored, and not clearly understanding how it’s at risk in your web environment

Dig in to these two areas and you’re halfway there. Keep the momentum up moving forward.

2.      Underutilization of existing network and web security tools

Be it web server logging, application-aware firewalls, patch management, or web vulnerability scanners, the tools and insight are often available. The problem is they’re under-implemented or not being used properly. Get to know your tools, take formal classes on how to use them as intended, or outsource the functions altogether.

3.      Improperly managing time and resources on the part of IT staff

IT staff (network administration, security, development, etc.) often try to be everything to everyone without knowing their limits. You have to take the time to learn how to prioritize and better manage what’s being thrown your way. If you don’t, you’re destined to achieve someone else’s goals.

4.      Running scans and patching the holes without diving into the details of what your tools are trying to tell you

Sure, your scanners highlight technical flaws but they also show you operational issues that need attention in and around development, system management, and general IT oversight.

5.      Assuming that someone else is taking care of things

It happens when responsibility and accountability are deflected to the cloud and it happens when companies rely on basic PCI DSS scans to ensure the resiliency of their enterprise. Take charge or step aside and let someone else.

6.      Misunderstanding the larger goals of the business and what management needs to hear and see

Most communication about web security is lost in the noise that IT pros throw management’s way. Learn the business and learn to become a better communicator. Otherwise you’re doomed to keep repeating the same mistakes and enabling the cycle of web security mismanagement.

The challenges you’re facing are not unique. It’s basic human nature that seems to impact everyone working in and around web security. That still doesn’t make it right. In the end, there’s really nothing new with web security. One thing is certain: we definitely cannot fix the underlying issues we don’t acknowledge. As with our personal well-being (diet, mental health, etc.), unless and until we address the root causes of the problems we face with web security, we’ll continue to struggle with the effects.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.