It is no easy task to secure today's digital enterprise. With all of the irons in the fire of the digital ecosystem, there is a lot that can compromise the corporate website. Both website visitors and Internet users are vulnerable to web-based malware, and it is increasingly more difficult for security practitioners to thwart web-based attacks.
Even with the daily occurrence of breaches, some organizations are not thinking about security, especially those enterprises for whom a large percentage of their revenue comes directly through the website. Many companies that do worry about security, think of it in terms of restricting internal users from accessing what might be potentially risky sites.
Worrying about vulnerabilities from internal users or third-party code, however, is moot if security is not part of the network architecture. Jim DelGrosso, senior principal consultant at Cigital, said that whether network architects are taking security into account when building their websites depends on the organization and how mature its security program is.
"In the financial space, enterprises think about it all the time, but in other areas that are not bound by strict governance, it's not as prevalent. With a lot of the larger enterprises, it is absolutely on their radar," DelGrosso said.
At the design level, keeping things segregated and defense in depth are the best ways to strengthen security. "Security controls layered in such a way that just because I got through some cross site scripting doesn't mean I can get anywhere else," said DelGrosso, "and they need to think about this upfront."
Rather than making security an afterthought, network architects should be thinking about the layers of controls that will create a safer environment.
Chris Olson, CEO of The Media Trust, said, "Architecture is hacked all the time without even realizing it. Every enterprise needs to be monitoring their website, but they don’t. They check the 10 percent to 20 percent of source code that is their own, what they are ignoring is the 80% via third parties."
Whether the code that is written by the enterprise or the third parties poses more risk seems to be up for debate. Some contend that self-regulating open source libraries are less likely to contain vulnerabilities because they've been examined by so many sets of eyes. The code that an enterprise writes, though, is self owned and more likely to pose security risks because it's not been tested as thoroughly as that written by third parties.
Olson said, "Third parties check code, but once it’s put into the content management system, it’s then rendering on the client side and that company that provides that code is no longer looking at it. If that company is attacked, there is no control because it resides in the CMS. The predominance of malware delivery on the web comes from this."
Sign up for Computerworld eNewsletters.