04.04.16
Web application security in the public sector
Advertorial Feature
With the uptake of cloud computing and the advancements in browser technology, web applications and web services have become a core component of many business processes, and therefore a lucrative target for attackers. Over 70% of websites and web applications however, contain vulnerabilities that could lead to the theft of sensitive data, credit cards, customer information and Personally Identifiable Information (PII).
High profile cyber-attacks regularly make the headlines, exposing citizens to financial loss and worry, and costing organisations millions. Consequently web security is becoming higher on the IT agenda for UK organisations in both the private and public sectors – particularly those with a cloud-first approach. According to PWC's latest Global Economic Crime Survey, over half of UK organisations say they expect to be the victim of cyber-crime in the next two years, suggesting it will become the UK’s largest economic crime.
The statistics
The UK 2015 information security breaches survey (carried out by Department for Business, Innovation and Skills published in June 2015) noted that a staggering 90% of large organisations surveyed, admitted to having experienced at least one data breach within the last year, with 74% of small business reporting a breach. The most severe online security breach for big business reached a staggering £3.14 million. With security breaches on the increase, web vulnerability testing has become a critical minimum security requirement for all organisations.
But it’s not only private organisations that are at risk, the public sector is just as vulnerable. A new Nesta report states that councils should become ‘digital by default’ by 2020, including by moving all transactional services online and fully digitising their back offices. Even though this will bring huge benefits, councils need to address a number of concerns about cyber security, privacy, and consent to retain public confidence in the security of data.
I have a firewall - that should do it
Unfortunately there is a misguided mentality that installing a firewall is sufficient to stop an attack. Although an important step in an organisation’s security posture, any defense at network security level will provide no protection against web application attacks since these are launched on port 80/443, which must remain open in order to allow visitors to visit your website. The attacker can then go straight through the firewall, past operating system and network level defences and right to the heart of the application and sensitive data. In addition, web applications are often tailor-made and therefore tested less than off-the-shelf software and are more likely to have undiscovered vulnerabilities.
The solution: Regular automated vulnerability scanning
Using a web vulnerability scanner like Acunetix Vulnerability Scanner ensures vulnerabilities are detected before a hacker can exploit them. A Vulnerability Scanner is used to crawl all web-based business-critical assets, automatically analysing them for perilous vulnerabilities and flaws that could expose the organization. The scanner detects and reports on vulnerabilities in applications irrespective of the architecture they are built in (such as PHP and ASP.NET) as well as being able to scan and detect vulnerabilities in applications built using popular CMS systems such as WordPress, Drupal and Joomla!.
Important Scanner Features:
1) Crawling and Scanning
A fundamental process during any scan is the scanner’s ability to properly crawl an application. Look out for a scanner that can crawl complex web application architectures including JavaScript-heavy HTML5 Single Page Applications while being able to scan restricted areas automatically and with ease.
2) Detecting vulnerabilities
With vulnerability detection, it’s accuracy that counts. Being able to scan a large number of vulnerabilities is important, however it’s the ability to scan accurately, with low false positives, that counts. Acunetix’ unique AcuSensor Technology deploys sensors inside the source code, which relays feedback to the scanner during the source code’s execution thus not only reducing false positives, but also being able to pinpoint the exact line of vulnerable code.
3) Reporting and Remediating
Once the scans are performed, the scanner will populate the information in a set of Internal Management reports as well as a range of Compliance and Classification reports for regulatory standards and best practice guidelines.
About Acunetix
Acunetix is the market leader in automated web application security testing, founded to combat the rise in attacks at the web application layer. Its products and technologies are the result of a decade of work by a highly experienced development team specializing in security. Acunetix Vulnerability Scanner is the tool of choice for many customers globally in the Government, Military, Educational, Telecommunications, Banking, Finance, and E-Commerce sectors, including many Fortune 500 companies. www.acunetix.com
Acunetix Vulnerability Scanner is available both as an online and on premise solution. It is included in the UK Government’s latest G-Cloud procurement framework, G-Cloud 7. Acunetix offers their Online Vulnerability Scanner as Software-as-a-Service (SaaS), through the Digital Marketplace. https://www.digitalmarketplace.service.gov.uk/g-cloud/services/7192777907076465