Why Web Vulnerabilities Aren't Going Away Anytime Soon



As buzz mounts over the newly discovered and yet-to be disclosed high severity OpenSSL vulnerability, many may be wondering when the seemingly endless stream of web vulnerabilities will end. Unfortunately, that time likely won’t come soon.

Despite advances in web application security, websites and web applications remain highly vulnerable. The reason for the plethora of website vulnerabilities is largely due to web developers not going through the proper security configuration process when websites are created. This is because websites are normally created with speed in mind – not security – which results in common misconfigurations such as running outdated plug-ins or software.

In many cases, validation and vulnerability scanning don't occur during web development. Without proper vulnerability testing it becomes altogether too easy to miss common vulnerabilities such as SQL injection flaws or cross-site scripting, which can be identified and prevented with the right configurations and implementation.

Rather than sacrificing security for development deadlines or convenience, enterprises need to have their web-dev team committed to testing for vulnerabilities and going through the proper validation steps to identify any issues. From there, development teams must make a concerted effort to continue to check sites for possible vulnerabilities while regularly installing patches for servers or software as soon as they're issued.

There are still many companies and web developers that produce websites that are far less vulnerable than the norm. These are businesses that are committed to making security a top priority in their website development process while taking the time to ensure sites are properly maintained and configured.

A business’ ability to produce more secure websites depends on the company's resources and its processes for developing and maintaining websites, but there are a few best practices that companies should adopt for secure development. If you rely on third party developers to create your sites, you should ensure proper budget is allocated to a full testing and validation process. It’s also important to ensure that your IT team continually installs security updates as they're issued. If possible, invest in automated vulnerability scanners which can secure and maintain sites on an on-going basis.

Greg Funaro
Related Articles
Everything Old is New Again

The adage that there is nothing new under the sun is especially relevant in the security field. Attacks and the technologies that spring up to defend against them tend to run in cycles, and the recent resurgence of DDoS attacks of various stripes has shown once again that we still don’t have a real handle on how to stop this problem.

The end of the line for Flash? Not so fast

Flash has long been a favorite target for attackers; but with Adobe revising strategy, how long before Flash-free is a reality?

Tax Fraud Two-Step Starts with Phishing for W2s

A spate of spear phishing attacks aimed at harvesting employees’ W2s has direct links to tax ID fraud.

Greg Funaro

Greg Funaro is the Director of Corporate Communications at Digital Guardian.

Please post your comments here