The evolution of the internet, its growth as a medium for commerce and the vast proliferation of web-enabled applications, portals and interfaces, brings with it a myriad of security challenges. It would be very hard to cover them all off in one column, so instead I want to focus on a particular area, that of web-enabled devices.

The idea of web enabling various devices to allow remote management and support has been around for some time now. That being the case, you might think organisations have a pretty good handle on web security.

However, judging by the numerous stories citing hacks which exploit poor coding, using common and long known about techniques such as cross-site scripting (XSS) and SQL injection techniques, combined with a continuing failure to integrate web security testing into the change and configuration management process, and we can see this is not necessarily the case.

Add to this the almost meteoric rise of the new kid on the block, the internet of things (IoT). Almost everything we now interact with, at home and at work, is connected to the IoT. Much of it is still viewed as a commodity buy, and as such languishing in the “unloved” category and not getting the organisational focus they need.

I am thinking about web-enabled physical systems that, for one reason or another, sit outside of IT and cyber security teams in many organisations and so are not part of lifecycle management, patching and change management processes.

Yet, they are connected to our organisations and sometimes partner organisations and the internet. We enjoy the benefits of these systems every day; air conditioning, door entry systems, building management systems, maintenance portals for suppliers, etc. But it is rare indeed for them to be cared for with the same regularity and comprehensive planning as our accepted “corporate” networks and systems.

These web-facing systems can offer threat in a variety of ways, but our lack of holistic focus allows them to remain large on the threat landscape as they sit with facility management, with physical security teams or with an external supplier.

Bringing risk from all systems together to be measured and mitigated is the way to approach this threat. They need to enjoy the same level of care as the rest of our corporate systems and any connected systems, be they internal or external. They need to be properly and pragmatically risk assessed in order to ensure the security is consistent and that all teams who manage them are on the same page.

The cracks between physical and traditional “IT” systems will continue to be exploited unless we choose to think differently about protecting them.