Companies make significant investments to develop high-performance Web applications so customers can do business whenever and wherever they choose. While convenient, this 24-7 access also invites criminal hackers who seek a potential windfall by exploiting those very same highly available corporate applications.
The only way to succeed against Web application attacks is to build secure and sustainable applications from the start. Yet, many businesses find they have more Web applications and vulnerabilities than security professionals to test and remedy them — especially when application vulnerability testing doesn't occur until after an application has been sent to production. This leads to applications being very susceptible to attack and increases the unacceptable risk of applications failing regulatory audits. In fact, many forget that compliance mandates like Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, and European Union privacy regulations, all require demonstrable, verifiable security, especially where most of today's risk exists — at the Web application level.
In an attempt to mitigate these risks, companies use firewalls and intrusion detection/prevention technologies to try to protect both their networks and applications. But these web application security measures are not enough. Web applications introduce vulnerabilities, which can't be blocked by firewalls, by allowing access to an organization's systems and information. Perhaps that's why experts estimate that a majority of security breaches today are targeted at Web applications.
This document is in PDF format. To view it click here.