Web security is very complex – with a lot of unknowns. As an executive running a business with a lot of moving parts, I’m sure you can relate. There are numerous areas – both operational and technical – where web security is lacking in practically every organization regardless of skills and budget. Some have been known for years, still others have yet to be acknowledged.

Here are the top web security issues that most certainly need to be on your radar:

1. Untested systems

The web security focus is typically on the latest applications essential to running the business or increasing sales. The thing is, there are other (likely dozens) of other websites and applications running in your environment that are creating as much, if not more, business risk simply because they have not been tested for vulnerabilities. For example, I recently came across an internal website that controlled a business’s parking lot security system. This website had not been scoped for testing, nor was it on any internal network diagrams, yet it contained several security flaws that permitted anyone to login and control the system, manipulate logs to cover their tracks and so on – all via the guest wireless network that was radiating its signal outside the building. It pays to know what you’ve got and understand how it’s at risk. If it has an IP address or a web URL, it’s fair game for attack and needs to be tested eventually.

2. Production data being used in development and QA

Developers and QA professionals often use a copy of production databases when writing and testing their code. It’s typically an honest oversight but it can have serious ramifications. The thing is, the systems they’re running are often under-secured. Things like the lack of software updates, malware protection, and even exposure to anyone on the Internet put sensitive (and often regulated) information at risk. When it’s compromised, odds are that no one will ever know about it.

3. Exposed source code

Developers are some of the smartest and most reasonable people I work with. Yet they’re still human and make mistakes like everyone else. I often find prized source code (such as sensitive data, passwords, and database connection strings that form part of the code of a website), sitting, exposed, on unprotected network shares, external hard drives, and unencrypted laptop drives. I’ve even heard of it being stored on phones and emailed out via consumer email systems. This is an intellectual property breach waiting to happen. Since no one is accounting for this source code and its whereabouts, any exposure will likely go unknown.

4. Weak passwords

It’s the bane of web security. You can have the most secure code, strongest encryption, and the fanciest web application firewall, yet all it takes to expose your entire application (and data) to the world is one weak password. Oftentimes, developers will build in strong password enforcement features. The problem is they’re often disabled because “it’s an end user option”. When web users are not setup for success early on they’re going to take the path of least resistance which is usually the wrong way to go. The 2014 Verizon Data Breach Investigations Report underscores the gravity of weak web passwords. There’s simply no excuse for them.

5. Input validation flaws

On the more technical side of web security are websites and applications that do not “cleanse” or validate what’s entered into the URL or form fields. When these flaws exist, things like cross-site scripting and SQL injection can occur which allow an attacker or malware to manipulate the vulnerable web pages and gain access to things like local web browser information, user login sessions, or even the entire database. These web vulnerabilities are everywhere. The good news is they’re easy to find and relatively simple to fix.

As a business executive, it’s not up to you to find the specific issues but you do need to be aware that they exist and take the proper steps to ensure something is being done about them. If they’re not resolved, someone else with ill intent will find them for you eventually. You don’t want to be that business.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.