Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Web application security risks: Accept, avoid, mitigate or transfer?

Ilia Kolochenko | May 16, 2016
Web application security is a very hot topic these days. What shall CISOs do with the related risks?

Setting up a Web Application Firewall may be also a very good idea. However, keep in mind that WAF is mainly designed to block simple and automated attacks, and will hardly save you from professional Black Hats or even from advanced script-kiddies.

I'd obviously recommend implementing a Secure Software Development Life Cycle (S-SDLC), however in the era of agile development and outsourcing, S-SDLC will not always solve the problems it is supposed to. But if you have an opportunity to deploy and properly maintain it afterwards - don't even hesitate, go for it.

Security training for your web developers is also a good option. If you outsource software development, introduce obligatory secure software development qualification prerequisites when conducting RFPs.

Risk Transfer

A recent PwC report forecasts that the global cyber insurance market will reach $7.5 billion by 2020, up from $2.5 billion this year. Cybersecurity insurance may be a good idea, however keep in mind that cybersecurity insurance market is far from being mature and thus may bring plenty of bad surprises.

Pavel Sotnikov, managing director for Eastern Europe, Caucasus and Central Asia at Qualys, CISSP, MSs, comments: "In today's world there is no space anymore for single-factor protection. Companies should definitely adopt Defense-in-Depth methodology for layered robust security measures. If we take website security as an example, there definitely should be continuous automated vulnerability testing both for the website and the infrastructure that supports it, moreover there should be security testing during all stages of the SDLC in addition to the secure coding practices. Additionally, there should be Web Application Firewall for proactive protection. Ideally, all this should be complemented through regular manual penetration testing by qualified professionals."

Concentrate your efforts on appropriate risk mitigation, complemented with risk transfer activities, and you will prevent majority of incidents before they occur.

Source: CSO 

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.