You only have to read an industry magazine, visit InfoSec or, these days, simply switch on the BBC news to understand how important an area this is and how severe the implications of poor or compromised security could be for your business, your data, your clients and your reputation.
Results taken from NTA’s 2011 Web Application Annual Report show that 25% of all web applications we tested contained at least one high risk vulnerability. The continual pressure for organisations to make information more accessible and available can feed through to a greater potential for application security risks, with the ICO recently handing out fines of up to £500k to organisations that have experienced breaches and data loss.
Whether it’s an internal CRM or HR system containing business critical or sensitive data, or a public facing transactional website, application security is a constant battle.
But wait. It’s not all doom and gloom and with the right guidance and good quality manual testing, you can easily get your confidence restored.
For some organisations, security is unfortunately an afterthought. But at NTA, we work with many companies who are serious about securing their data and who get us involved early in their application development cycle, with us working alongside developers and third parties to ensure security is built in from the ground up.
For others, a false sense of security can lead to the continued existence of application vulnerabilities. Putting your faith in a weak, fully automated application scan that fails to discover all of the issues can potentially be worse than doing no testing at all. Applications are complex, varied and business critical, so automated scanning is rarely adequate or appropriate.
SQL injection, cross-site-scripting and data sanitisation issues are some of the more prevalent security vulnerabilities, but issues are frequently identified from all of the OWASP Top Ten categories. NTA’s Web Application Test service will identify such issues and provide advice on the most appropriate fix.
Source code reviews can also be provided if you favour this approach.
So if you have found yourself asking “At what stage should I test the application?”, “Could an attacker potentially access the back end database?” or “Is my authentication strong enough?”, then NTA can help advise on these and any other questions that you have to help achieve your desired goals.
One of the team is always willing to discuss any specific requirements or questions you might have so feel free to contact us.