The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application SecuritySeptember 5, 2012
|Authors:|| Chris Rodriguez, Senior Industry Analyst, Frost & Sullivan|
Richard Martinez, Research Analyst, Frost & Sullivan
Robert A. Martin, Senior Principal Engineer and Outreach Lead, MITRE
Ilia Kolochenko, CEO, High-Tech Bridge
Craig Spiezle, Executive Director & President, Online Trust Alliance
Frost & Sullivan: Web Application Security is an On-going Commitment due to Highly Dynamic Hacking Risks
The World Wide Web is the growth engine of our decade. Because the Web has the power to make everything available to anyone, anytime, where ever they are, through which ever device, even century-old businesses are adopting Web-centric business models. Government information systems are also becoming Web-centric because they, too, realise that technology allows them to meet and exceed the expectations of citizens with lower budgets. In essence, Web applications have become vital to almost any organisation, but these applications can be dangerously weak links in the network security perimeter.
Google and Amazon are well-known examples of companies that rely almost entirely on Web applications for their business; Netflix is showing the way in the home entertainment industry, and even grocery shopping is becoming Web-centric. Social networks, such as Facebook, have introduced gaming (e.g., Farmville), image sharing (e.g., Instagram), and other Web applications that give insight to users and their activities. Businesses are increasingly adopting social media into their marketing strategies. At the same time, services like ICQ or MSN Messenger (that are much more powerful, but require additional software to install) are losing popularity. More and more hardware devices—from industry equipment to telephone systems—are supplied with administrative Web interfaces. Ceridian Payroll & HR and Salesforce CRM are examples of essential and highly sensitive systems built on Web applications.
Since the 90s, we have seen a steady proliferation of Web application vulnerabilities. As soon as system administrators and developers acknowledge one attack vector, a new attack vector is already being developed by hackers. Security research labs and vendors are implementing extensive testing methods to find and patch vulnerabilities.
For example, Frost & Sullivan found that in 2011, third-party researchers disclosed 98.3 percent of total vulnerabilities for the year, while application developers only disclosed 1.7 percent. This is further validated by security labs stating they have shifted their testing from being customer-driven to analyzing all applications, primarily those that are highly valuable to businesses, widely deployed, and have a reputation for being vulnerable.
This paper puts the threat to Web applications into its right business context. The reader is able to peak into the mysterious world of Web applications hacking, catching a glimpse of the workings of hackers and how they are able to attack unsuspecting organisations, powerful governments and even private persons. Finally, the paper gives an overview of the likely victims of Web application hacking and outlines what organisations should be doing to protect themselves.
The paper benefits from the insight and experience of leading security organizations and companies like MITRE, Online Trust Alliance (OTA), and High-Tech Bridge, which have provided excellent support to Frost & Sullivan during the editing and review of the paper.