Web security has higher priority at 2009
Long time ago, I would like to write something on web security, as lots of business being transferred to web infrastructure. The threat has become more severe in a short period of time. Web insecurity becomes a big problem today. We have no choice but to confront the issues.
As we all know,FW,IDS,IPS,UTM etc. are more focus on traditional threats,such as scanning, DOS/DDOS,IP blocking/filtering and so on. It’s difficult for small-to-medium-size businesses (SMBs) to thwart web-based attack(ie.SQL injection,XSS,botnet,phishing). For enterprises or Multi-National Corporations (MNCs),lots of web-based applications make things more difficult . When talking about security ,all they do is simply system hardening, implementing ACL, blocking IPs,etc. These measures are far from adequate security protection. In lots of cases, when we do a vulnerability scan, the system is perfect, only port 80 open to the outside world ,however when we take closer look into the web applications, we find a lot of big problems. Most of them are vulnerable to SQL injection and XSS.
So web-based applications security becomes very very important. The big foe is “people” especially when we thought it is secure, actually it’s not!
Agree with you,
I would say, most web targeted attack is related with application coding, our real experience is the proof of that,
As an MNC who have lots of web-based applciation and are very security-sensitive,
we have been practicing web security in China for several years,
From coding security guidline releasement, to deploy web applciation firewall, to set up content managment process and integrate technical security measures into,
Our investment on web security paid off now, on eliminating negative impact to online application and corporation image even.