Web Application Security Part Four - Why worry?

What's at stake if your web application is insecure? Patrick Gray explains the perils and pitfalls.

Hydrasight analyst John Brand says many organisations that outsource the development of their Web applications expect security concerns will be addressed by the developers. "By outsourcing the development of those Web applications they feel they're out of the business of software development and they're in the business of brand and process development," he says. "The security requirements become about how effective their business processes at handling that data."

Surprisingly, Brand plays down the threat from online. "Information leakage is the biggest issue that organisations are facing, and that's something that's happening already through email, primarily, as a channel," he says. "The threats from online services are usually more to do with responding to incidents so the cost of maintaining hygiene in your systems, responding to viruses and Trojans and those sorts of things."

Brand's statement would seem to ring true here in Australia, where a high profile hack hasn't completely destroyed the credibility of an established enterprise, but overseas it's a different story.

It certainly didn't help credit card processing company CardSystems' image when its entire database of credit card information was accessed by malicious attackers in 2005.

In all, the details of 40 million card holders across the world were made available to the attackers, who dutifully spent millions of dollars on fraudulent purchases with stolen card numbers. "[CardSystems] was attacked was through a SQL injection problem," says says Jeremiah Grossman, the CTO and founder of WhiteHat Security. "It's a very, very common Web application problem."

CardSystems wasn't a backyard operator -- the company was a major processing hub for Visa, American Express, MasterCard and Discover. Prior to the breach, it was processing US$15 billion in transactions annually.

In the end, CardSystems was sold to another company, Pay By Touch, for US$47 million in 2005. It's not known what impact the data breach had on the decision to sell, or the company's valuation.

Read more on Web application security