Home > Articles > Securing a Web App at the Last Minute

Securing a Web App at the Last Minute

Article Description

While consumers and the media are increasingly aware of the risks to confidential information over web apps, firms still tend to focus on development, leaving data security until just before the go-live date. Ajay Gupta points out that last-minute steps are available to improve the security of your apps before launching them onto the Internet.
Testing and Findings

Testing and Findings

We performed the testing after work hours as specified. Over the following weekend, we held a conference call with the client to convey our findings and recommendations. We did this over the weekend and by phone because of the time crunch. There's no problem with reporting results in this fashion, but we usually prefer to complete at least a brief written report when sharing results with clients.

Our main findings were as follows:

  • Cross-site scripting and SQL injection vulnerabilities. Both XSS and SQL injection vulnerabilities were identified, even though the client claimed to have followed secure coding practices and performed a security code review on the application source code. Indeed, they probably did do what they claimed; however, these vulnerabilities have become almost ubiquitous in today's computing environments, and the fact that they pop up even after a secure coding effort is not surprising or even uncommon.
  • Lack of an intrusion-detection and/or intrusion-prevention system (IDS/IPS). This is the hosting provider's responsibility, according to information we received from the client. In other words, the client expected that the hosting provider would deploy an IDS to secure the servers hosting their web application.
5. Recommendations | Next Section Previous Section