Overview of Security Issues for Web Applications

Whether you plan on providing e-commerce or just enabling your employees, providing access to services through the Internet offers many competitive advantages over alternative methods. The lower costs of performing transactions, coupled with the opportunity of customizing the user interface depending on customer preferences and buying habits, are too great for businesses to ignore.

However, by exposing internal applications to the Internet, businesses are taking on many risks not normally associated with standalone applications. Companies not familiar with these risks will introduce security late into their development cycle, if at all. According to the CERT Coordination Center (http://www.cert.org), a center of Internet security expertise, the number of security incidents and vulnerabilities is not only rising every year, it's going up exponentially. If you're conducting or plan to conduct business over the Internet, these statistics should alarm you and prompt you to have an overall security policy in place as soon as possible.

The simplicity of the Internet is both a curse and a blessing. It allows customers around the world to connect to a Web site by simply typing a URL in their browser. They don't have to worry about how their requests get to us. The Internet infrastructure routes traffic to its intended destination using standard protocols such as HTTP. All our customers need to do is have a connection to the Internet and an Internet browser. However, this also gives access to our Web site to people who aren't interested in using our services or buying from us. That is, with an Internet connection, people all over the world can attempt to break into our Web site using standard Internet protocols. It's this openness of the Internet that makes it both easy to use and easy to exploit.

Additionally, it's prudent either to have full-time security personnel on your staff or bring in the resources of an outside firm to perform a security evaluation and make recommendations. Securing corporate data should be the first priority of any software development endeavor because the costs of ill-gotten access are prohibitively large. In many cases, the value of corporate data is a large percentage of the total value of a business.

Security and accessibility tend to be opposite goals at first. The most secure data resides on a machine in a protected location, with no access by anybody and without any connection to the Internet or any other networks. In this situation, there's no accessibility by users—legitimate or otherwise. The idea behind setting a security policy is to keep data secure from people who have no right to view and/or alter it without making access from legitimate users prohibitively difficult or time-consuming. Keeping data both secure and accessible is no easy matter considering that tools for hacking are easily available on the Internet and new viruses are constantly being created.

This section introduces you to some of the ways that crackers can affect normal Internet business flow. After examining exposure to risk, we offer solutions to reduce the opportunities for crackers to change the way you do business on the Internet. This section isn't meant to be a primer on securing your infrastructure, but it raises points that should be researched and implemented when extending your IT landscape toward the Internet.