Web Application Vulnerability Assessment Essentials: Your First Step to a Highly Secure Web Site
If an organization isn't taking a systematic and proactive approach to web security, and to running a web application vulnerability assessment in particular, then that organization isn't defended against the most rapidly increasing class of attacks.
Web-based attacks can lead to lost revenue, the theft of customers' personally identifiable financial information, and falling out of regulatory compliance with a multitude of government and industry mandates: the Payment
Card Industry Data Security Standard (PCI) for merchants, HIPAA for health care organizations, or Sarbanes-Oxley for publicly traded companies. In fact, the research firm Gartner estimates that 75 percent of attacks on web security today are aimed straight at the application layer.
While they're described with such obscure names as Cross-Site Scripting, SQL Injection, or directory transversal, mitigating the risks associated with web application vulnerabilities and the attack methods that exploit them needn't be beyond the reach of any organization.
This article, the first in a three-part series, will provide an overview of what you need to know to perform a vulnerability assessment to check for web security risks. It'll show you what you can reasonably
expect a web application security scanner to accomplish, and what types of assessments still require expert eyes. The following two articles will show you how to remedy the web security risks a vulnerability
assessment will uncover (and there'll be plenty to do), and the final segment will explain how to instill the proper levels of awareness, policies, and technologies required to keep web application security flaws to a minimum - from an application's conception, design, and coding, to its life in production.
Just What Is a Web Application Vulnerability Assessment?
A web application vulnerability assessment is the way you go about identifying the mistakes in application logic, configurations, and software coding that jeopardize the
availability (things like poor input validation errors that can make it possible for an attacker to inflict costly system and application crashes, or worse),
confidentiality (SQL Injection attacks, among many other types of attacks that make it possible for attackers to gain access to confidential information), and
integrity of your data (certain attacks make it possible for attackers to change pricing information, for example).