Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » 'Penetrate and patch' e-business security is grim

'Penetrate and patch' e-business security is grim

by Nikola Strahija on February 26th, 2002 Application security flaws introduced early in the design life cycle are giving rise to easily exploitable defects that can readily be prevented. That's the main conclusion of an evaluation of 45 e-business applications by security consultancy @stake. It says the current state of application security is "grim".


@stake found that nearly half of application security defects - 47 percent - are both readily exploitable and could cause significant loss of reputation or customer revenue, but the defects were entirely preventable. The consultancy found that the best-designed e-business applications have 80 per cent fewer security defects than the worst.

@stake's testing reveals some worrying trends in application insecurity.

These include insufficient rigour in checking user input, a problem that can give rise to buffer overflow attacks, and a lack of secure authentication and access control features within applications. User session security proved to be the "Achilles heel" of many of the apps analysed.
Nine classes of common security flaws can make applications insecure, according to @stake's research. These are: administrative interfaces authentication/access control, configuration management, cryptographic algorithms, information gathering, input validation, parameter manipulation, sensitive data handling and session management.

"Many companies treat security as 'penetrate and patch' rather than employing secure software engineering practices that would have produced a safer application from the start," said Andrew Jaquith, program director, @stake.

The six areas that differentiate the best from the rest are: early design focus on user authentication and authorisation; mistrust of user input; end-to-end session encryption; safe data handling; elimination of administrator backdoors; mis-configurations and default settings and security quality assurance.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »