IT Security Vulnerabilities Caused by Web Applications

Custom business applications are increasingly attractive because they allow companies to improve employee and customer user experiences with enhanced flexibility and efficiency. Some custom business app platforms tout that “creating your own custom apps is easy, even if your programming knowledge is non-existent.” However, this ease and accessibility can lead to unanticipated security vulnerabilities.

According to Impervia, in 2018, web application security vulnerabilities increased by 23% from 2017 and by 162% from 2016. Impervia also notes that “more than half of web application vulnerabilities (54%) have a public exploit available to hackers.” Hackers can use these exploits to enter your organization’s network and access your systems.

What Are Countermeasures/Prevention Techniques?

In most situations, configuration or programming errors are the leading cause for web application vulnerabilities. These errors may be identified by performing a web application scan and/or code reviews.

Web Application Vulnerability Assessment

AAFCPAs advises clients to conduct regular web application vulnerability assessments when they have systems exposed to the internet. Exposure is of particular concern when sensitive data resides on the internet or if applications are developed and managed internally.

AAFCPAs’ web application vulnerability assessments identify vulnerabilities such as HTML or SQL injections, cross-site scripting (XSS), and URL redirections. When these vulnerabilities are present, hackers could modify the code or links in your web applications.

Evaluate Processes

While it is important to remediate issues shown in scan results, AAFCPAs’ Cyber Security experts advise clients to examine root causes and enhance internal processes to reduce or eliminate the reoccurrence of such findings. Vulnerabilities are likely a result of breakdowns in your organization’s processes. AAFCPAs evaluates clients’ existing processes related to change management and Software Development Life Cycle (SDLC) and provides guidance to improve security measures moving forward.

Regularly Assess the Most Prominent Security Risks

The Open Web Application Security Project (OWASP) is a global nonprofit community that identifies and provides guidance on the most prominent vulnerabilities in web-based applications. The OWASP Top 10 List of Risks represents a broad consensus about the most critical security risks to web applications and is considered the ideal starting point for web application security.

AAFCPAs encourages clients—especially those who created or customized web-based application(s)—to adopt the OWASP awareness document within their organization in order to minimize these risks. AAFCPAs completes OWASP analysis for clients to improve the security and quality of their code. OWASP scans go beyond those of a Web Application Scan to include source code reviews.

To schedule a cybersecurity assessment, or for specific advice on web application vulnerabilities and how to best protect your organization, please contact: James Jumes at 774.512.4062, jjumes@nullaafcpa.com; Mr. Anderson at manderson@nullaafcpa.com; or your AAFCPAs Partner.