Web application security

Patrick Gray commences a five-part examination of web application security.

These days, enterprises from insurance companies to airlines are rolling out Web applications to allow deeper interactions between their IT systems, customers and partners. The result is, in affect, the transformation of organisations from traditional enterprises to software publishers.

But gone are the days of merely securing Web server infrastructure to thwart would-be attackers.

Today, Web-applications are a complicated business, with all sorts of companies making sophisticated -- and almost certainly buggy -- applications available online.

The world changed over night. We still suffer from the same IIS and Apache issues from time to time, but more often than not it's the custom Web applications that are the big problem," says Jeremiah Grossman, the CTO and founder of WhiteHat Security in the United States.

Grossman's warning rings true because Web-servers were once isolated from data stores. But the true demilitarised zone -- the chunk of network completely isolated from a company's sensitive data -- is not an option to the modern enterprise seeking to make the most out of Web apps because with Web applications the idea is to let people in to your network, not keep them out.

It's a proposition that would have scared the pants off any reasonable CIO or CSO even five years ago. Yet here we are; mortgage brokers can log into banking systems online, orders and flights can be booked with a few mouse-clicks and packages tracked and re-routed across the globe.

It means securing Web application code has never been so important. "You want to find and fix the vulnerabilities you have in your system because everybody has them, and you want to find them and fix them before the bad guys exploit them," Grossman says.

Tomorrow: Past attacks on web applications

Read more on Web application security