Over the holiday period I spent some time catching up on news items and emails that filled up my inbox over the preceding few months.  One item I did not look at until recently was an announcement about the Web Application Security Consortium (WASC). 

WASC is an open forum to stimulate and create discussions regarding web application security.  This is an area that will become more and more important to those of you tasked with protecting the online presence of your organisation.  Especially if your web sites have any interactive functions built into them.

Criminals are moving away from attacking the network and operating system layers to looking at how to break applications to get to what they want, money, yours or that of your clients. 

Thanks in part to advances in the networking and operating system technology we now use it is getting more difficult for criminals to exploit this vector.  So criminals are now looking to exploit the applications we deploy on our servers. 

WASC have set up the Web Hacking Incidents Database in which they record the various attacks that have occurred (already two major ones are recorded for 2008) and how those attacks happened.  Browsing through the database three main vectors jumped out at me;

1. SQL Injection Attacks
2. Cross Site Scripting Attacks
3. Attacks using known vulnerabilities.

The above attack vectors are well known and there are plenty resources out there to help people code their applications more securely and to ensure they patch their systems regularly.  You need to ensure you are aware of how these attacks can happen and ensure that your developers or application providers have tested their applications for them.

If you have not done so already have a look at the OWASP site for some good information.  Microsoft’s ACE team have a great Blog on developing secure code and their %41%43%45%20%54%65%61%6d (translated it means ACE Team) Blog gives a 4 part tutorial entitled “First Line of Defence for Web Applications”.

While you are at it I would also recommend that you start the New Year by revising your Incident Response plan to ensure that it is up to date and that you are prepared to react to these type of attacks.