Why is it that so many web applications are certified to be compliant with a particular standard such as PCI DSS and yet are still compromised? According to data compiled by the DatalossDB project, breaches caused by web applications and web-related flaws comprise 11% of all breaches while another 18% fall into the “hack” category (some of which are likely web application related).
Is the scanner the problem? Is it the auditor? On the other hand, is it that the scope of the analysis was too narrow to account for all the other factors that secure the application? The simple answer is that the complexity in the application, network, supporting environment, and the audit process makes it necessary to develop a comprehensive approach that includes people, process, and technology for web application security assessments.
For the last decade, considerable resources have been directed at developing web-based applications. These range from simple applications that replace paper-based tasks to home banking applications for customer convenience to complex applications that attempt to automate lengthy or difficult tasks. As web servers increasingly host more diverse applications, would-be attackers are focusing on them in attempts to gain access to information or resources. With the prevalence of many web application vulnerability classes, these attacks range from nuisance to full compromises of your organization. Since many of these applications are developed in-house, administrators typically cannot rely on public vulnerability databases to determine if their applications are vulnerable. Organizations must look at vulnerability tests specific to the in-house developed applications. Further, it is imperative that organizations analyze all the elements that support web applications.
Tenable’s dedicated Research group is constantly analyzing new threats and developing plugins to detect these threats. The Tenable product suite applies this research on an enterprise level to correlate information from a variety of sources to help analysts get a complete picture of the supporting environment, in order to better audit and secure web applications.