Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

New application security attack vectors forecast

Denim Group : 08 January, 2010  (Technical Article)
Denim Group foresees a change in the way web applications are attacked and provides details of the possible attack vectors that could develop in 2010
Denim Group, an IT consultancy and strong contributor to the larger application security community, foresees shifts in the application security landscape this year. As a trusted advisor to many Fortune 500 and large public sector organizations, the firm has just announced its guidance on the top application security trends for 2010:

1. Web "Mashup" Applications Will Result in New Attack Vectors: Web applications integrating data and functionality from multiple systems are becoming increasingly more common. Unfortunately, threat models for these 'mashup' applications are rarely performed, and when they are, they are rarely understood. The accelerated pace of change for software security is moving much faster than the security practitioners' ability to provide meaningful guidance to application development teams.

2. New Data Breaches Will Force Organizations to Focus on Internal Applications as Well as External: Most organizations incorrectly assume they only need to worry about external security, but publicly-revealed data breaches of internal applications have shown that an internal network is no longer a safe haven. In 2009, known breaches caused by malicious insiders resulted in the compromise of over 1.5 million records according What is not known is the extent of incidents that were concealed or went unreported.

3. Adoption of HTML 5 and Other New Technologies Will Cause Developers to Inadvertently Build Vulnerable Applications: HTML 5 has a variety of new capabilities that can erode previously established security controls. While developers are building more ambitious applications using these new capabilities, many development teams will not consider the associated security risks of exposure of HTML-based 5 web applications until after their deployment.

4. Resurgence of Risk Management: Many organizations have postponed spending on software security during the recession at a potentially huge cost. As the economy improves, organizations will refocus on Risk Management rather than merely meeting compliance requirements.

5. Organizations Will Finally Start Asking, "How Are We Going to Fix These Vulnerabilities?" Security teams will shift their focus from finding vulnerabilities to working with development teams and actually fixing them. Forward-thinking organizations will treat application vulnerabilities as software defects and will leverage existing software development and maintenance practices within the organization in order to resolve security vulnerabilities.

6. Security and Development Teams Will Have Increasing Interactions: Increasing dialogue between security and application development teams will lead to improved decision-making, which incorporates Risk Management and understanding of the overall value of the enterprise.

7. Organizations Will Move Beyond Scan-Only Approaches to Application Security: Initial approaches to application security were often solely focused on automated scans of applications or code to identify technical vulnerabilities. However, targeted attackers are shifting their focus to business logic attacks on applications, and leading organizations will start to incorporate more manual testing and code reviews in order to respond to the these new realities.

8. The Application Security Market Will Continue Consolidating: Further consolidation of product vendors will provide product suites with a more comprehensive range of capabilities and consistent approach. Global system integrators will identify software security as a gap in their services and will try to solve the problem through acquisition.

9. Organizations Deploying Web Application Firewalls Will Increasingly Use Them for Virtual Patching: Virtual patching involves creating targeted rules for a web application firewall based on specific known vulnerabilities. Organizations will increase their use of this practice to provide interim protection while code-level fixes are implemented.

10. Application Security Metrics Will Provide a Foundation for Decision-Making: As enterprises increase the sophistication of their application security programs, standard metrics will evolve for costs for finding and resolving vulnerabilities as well as timeframes required to fix vulnerabilities. Forward-looking firms in more mature industries will begin sharing anonymized data to support benchmarking efforts.

"In the past, organizations have been doing what's easy as opposed to what's important, and that's going to cost them in the long run," said John Dickson, Principal of Denim Group. "For example, studies have shown that 1-3% of employees in an organization are bad apples that are prone to steal internal data, and it's naïve to think that isn't the case with your enterprise. As more security breaches happen - both internally and externally - organizations will realize that point solutions are not going to provide the increased application security they require, and to successfully confront the issue they will have to address it throughout the software development lifecycle."

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo