How Secure Is Your Web Application?

With the threats to data security in e-commerce, web application security should be the on the top of the list of concerns for any merchant. If a survey conducted by the Open Web Application Security Project (OWASP) is any example, organizations and merchants are only responding to security threats when they should be testing the secure coding of all web applications accepting electronic payments.

The Open Web Application Security Project (OWASP) was created to help improve the security of application software. The project, whose online home is a wiki site, is a forum community open to anyone and its primary mission is to promote the visibility of web application security. The project also exists to aid organizations in making educated decisions about the security risks of web applications.

In an effort to establish an industry benchmark for the amount of dollars spent on web application security, the project conducted a survey and released the OWASP Security Spending Benchmark Report in March, 2009. The survey was conducted through the project’s 17 partners and resulted in valid responses from 51 organizations. The goal of the report was to measure spending habits regarding the development of web applications with secure code. However, it revealed a lot more.  The report revealed that only 61% of the 51 organizations surveyed used an independent third-party security organization to review their web application software code prior to going live. Twenty-two percent did not have an answer or only perform a review when requested by customers. Web application security only accounted for 10% of the overall security spending in 36% of the organizations. Additionally, a majority of the security checkpoints during the software development lifestyle occurred during the testing phase. The consensus is that checkpoints should occur at every stage, so as to find security issues earlier in the development process.

While organizations are spending money on data and application security, the costs are mainly based on regulatory compliance. The report also showed that over a third of the organizations surveyed also do not use web application firewalls to monitor or defend applications. The culmination of this information should raise a red flag for consumers and merchants alike (especially for merchants relying on third-party developers for their web applications).

According to Verizon’s 2009 annual Data Breach Investigation Report, the data breach was discovered by third parties in 69% of cases. The study, based on data analyzed from 285 million compromised records from 90 confirmed breaches in 2008, also found that 81% of affected organizations subject to the PCI DSS had been found non-compliant prior to being breached. The team conducting the study also stressed the importance of web application testing.

In an attempt to assist developers in addressing application security risks, the OWASP created a Top 10 list of the most significant web application security vulnerabilities. More importantly the Payment Card Industry Data Security Standard has adopted the OWASP Top 10 with regards to secure coding guidelines. It is not a complete list but considered a good starting point for developers writing secure code. The OWASP Top 10 list (created in 2004 and updated in 2007) is outlined below.

A1 – Cross Site Scripting (XSS)

A2 – Injection Flaws

A3 – Malicious File Execution

A4 – Insecure Direct Object Reference

A5 – Cross Site Request Forgery (CSRF)

A6 – Information Leakage and Improper Error Handling

A7 – Broken Authentication and Session Management

A8 – Insecure Cryptographic Storage

A9 – Insecure Communications

A10 – Failure to Restrict URL Access

What merchants need to know is that they cannot rely on firewall, network or host layer security to prevent data threats. If they are left to rely on developers and payment processors for payment security, merchants should be managing, or at least overseeing, these efforts to ensure that their e-commerce payment applications are tested completely before going live. If they are outsourcing application development, merchants should also review the development organization’s current customers as well as any history of data breaches involving the development organization and its web applications.

OWASP plans to release the benchmark report on a quarterly basis. This should help provide more exposure and a call to action in support of secure coding in e-commerce web applications.