Do You Need a Web Application Security Assessments?

“My web server was tested in our last network vulnerability assessment. Do I need a separate web application security assessment?”

We get asked this question often. The (not so) simple answer is… it depends. Network vulnerability assessments typically identify vulnerabilities in the host operating system and web server software. Web application security assessments, on the other hand, identify coding and logic flaws within the security framework of web applications. A comprehensive web application testing methodology takes into account user roles, business logic, and application context – three things that automated vulnerability scanners don’t do well. Consequently, your network vulnerability assessment probably won’t provide much feedback in these areas.

In short, the more complex and interactive the web application and the more sensitive the data managed by the application, the more likely you are to need a dedicated web application security assessment. Ask yourself the following questions:

• Does my website host dynamic content?
• Does my web application require user authentication?
• Does my web application support multiple user roles with different access levels?
• Can visitors to my website create accounts and log into my web application?
• Are users allowed to post content on my website (e.g. forums, member pages, etc)?
• Does my web application operate on sensitive or confidential data?
• Does my web application display or provide access to confidential information?
• Does my web application use custom-developed software components?
• Have I made any updates to my web application since my last assessment (in the event that you’ve already had a web application security assessment performed)?

The more questions you can answer with a “yes”, the more you’ll benefit from a web application security assessment. If your application involves financial data or transactions, medical records, student records, or other personally identifiable information, a separate web application security assessment may be required to satisfy legislative and industry requirements (PCI, HIPAA, FERPA, etc).

You should also look beyond the login page when assessing the strength of your web application. Software development teams often focus on the security of externally-facing components (such as login pages) while overlooking security within their applications. Using legitimate or compromised user accounts, attackers frequently exploit internal vulnerabilities as was evidenced by the recent attack on the Citigroup website (http://www.nytimes.com/2011/06/14/technology/14security.html?_r=2). This is another case where a methodical web application security assessments (along with tighter change control management processes) would likely have prevented such an attack.

Keep in mind that just because your application doesn’t operate on sensitive user data, that doesn’t mean that you aren’t at risk. Malicious users leverage vulnerable websites and web applications to launch phishing attacks and to distribute malware. Tolerating such activity can land your website on Internet blacklists and bring you unwanted publicity. Performing a web application security assessment now could save you considerable time and money down the road.