Insecure web applications

Here in the Cayman Islands and throughout the Caribbean region, we are progressively catching up to other major financial jurisdictions in regards to how we perform business transactions.

The internet has revolutionized the way the world conducts business and has become an effective tool that has allowed businesses to provide cost-efficient solutions to their clients. Online banking and web reporting are becoming popular value-added services that are offered by banks and firms here in Cayman.

But while these services enhance customer service and satisfaction, they are also a source of risk.

All websites that involve the submission and retrieval of dynamic data rely upon web applications, which are computer applications that are accessible by a web browser over a network such as the internet.

Organisations have embraced and accepted web applications due to the functionality that they possess, enabling the streamlining and automation of business processes. Little do we know, we have also accepted the security risks that accompany web applications which are poorly designed, developed, or implemented.

No one on the internet is immune from security threats. In a rush to provide online services to clients, businesses have either purchased or developed web applications with little attention given to security risks. The result is vulnerable web applications that are susceptible to exploitation by hackers.

Prominent websites from many industries and sectors around the world such as financial services, healthcare, government and retail have become victims of hackers who have probed their networks to access confidential data or perform fraudulent transactions due to insecure web applications.

Vulnerable web applications can have severe repercussions on both the business and the client.

Business executives and owners need to understand that the information that is retrieved by web applications are gathered from their internal databases that contain data that is confidential to their organisation and their clients.

If the web application retrieving that data is not secure then the entire database is in jeopardy. Consequences of a security breach can cause a business loss of revenue, legal liability, loss of customer trust and damage to their reputation and credibility.

Clients of businesses that implement insecure web application can also suffer damages as well.

The most common security risk for a client would be identity theft, which is where the clients name and other personal information is stolen by a hacker and used for fraudulent purposes such as unauthorised purchases and access to personal finances.

Businesses need to ensure that the online services they provide to their clients are secure by implementing security best practices such as including security in the web application design, installing security patches and forming policies and procedures for their web applications.

It is always more effective and cost-efficient to implement security during the design and development stages of the web application. In doing so, the overall cost to implement security is drastically reduced and the security risks involved with the web application are mitigated.

In conjunction with implementing security best practices, a qualified information security company should be hired to conduct regular security assessments of the company’s web application. The reason for this is to have an independent third party’s review of the web application’s security.

Using off-the-shelf or standard applications still carry the risk of introducing security vulnerabilities into your network infrastructure, and vendors will never admit that their software is insecure.

If the web application is developed in-house this is also a good way for management to assess the quality of the application. Security assessments should be conducted prior to a web application going live, as well as periodic assessments, which are usually every six to 12 months, and an assessment after any significant upgrade or change to the web application or infrastructure.

Web applications have become an integral part of the way we carry out business. If web applications are not designed well and security not addressed during the development and implementation stages of the application, security risks may go undetected until a hacker comes along.

Businesses can find it very tedious in assessing whether their web applications are secure to a level of risk their company is willing to accept.

It is for this reason many organisations hire information security companies to conduct security assessments on their web applications. The benefits far outweigh the cost of conducting these assessments by minimising a company’s risk exposure to security threats.

Deon Ebanks is a Senior Consultant with Deloitte (Cayman) Enterprise Risk Services, performing information security and IT control assurance services. For more information on how your organisation can implement or assess the security of its web applications please contact Deon at [email protected] or via + 1 (345) 814-3490.

Comments are closed.