IT Security Vulnerabilities Caused by Web Applications

Custom business applications are increasingly attractive because they allow companies to improve employee and customer user experiences with enhanced flexibility and efficiency. Some custom business app platforms tout that “creating your own custom apps is easy, even if your programming knowledge is non-existent.” However, this ease and accessibility can lead to unanticipated security vulnerabilities.

According to Impervia, in 2018, web application security vulnerabilities increased by 23% from 2017 and by 162% from 2016. Impervia also notes that “more than half of web application vulnerabilities (54%) have a public exploit available to hackers.” Hackers can use these exploits to enter your organization’s network and access your systems.

What Are Countermeasures/Prevention Techniques?

In most situations, configuration or programming errors are the leading cause for web application vulnerabilities. These errors may be identified by performing a web application scan and/or code reviews.

Web Application Vulnerability Assessment

AAFCPAs advises clients to conduct regular web application vulnerability assessments when they have systems exposed to the internet. Exposure is of particular concern when sensitive data resides on the internet or if applications are developed and managed internally.

AAFCPAs’ web application vulnerability assessments identify vulnerabilities such as HTML or SQL injections, cross-site scripting (XSS), and URL redirections. When these vulnerabilities are present, hackers could modify the code or links in your web applications.

Evaluate Processes

While it is important to remediate issues shown in scan results, AAFCPAs’ Cyber Security experts advise clients to examine root causes and enhance internal processes to reduce or eliminate the reoccurrence of such findings. Vulnerabilities are likely a result of breakdowns in your organization’s processes. AAFCPAs evaluates clients’ existing processes related to change management and Software Development Life Cycle (SDLC) and provides guidance to improve security measures moving forward.

Regularly Assess the Most Prominent Security Risks

The Open Web Application Security Project (OWASP) is a global nonprofit community that identifies and provides guidance on the most prominent vulnerabilities in web-based applications. The OWASP Top 10 List of Risks represents a broad consensus about the most critical security risks to web applications and is considered the ideal starting point for web application security.

AAFCPAs encourages clients—especially those who created or customized web-based application(s)—to adopt the OWASP awareness document within their organization in order to minimize these risks. AAFCPAs completes OWASP analysis for clients to improve the security and quality of their code. OWASP scans go beyond those of a Web Application Scan to include source code reviews.

To schedule a cybersecurity assessment, or for specific advice on web application vulnerabilities and how to best protect your organization, please contact: James Jumes at 774.512.4062, jjumes@nullaafcpa.com; Mr. Anderson at manderson@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Mr Anderson - Ethical Security Hacker
Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs.   He is highly sought-after for his expertise in: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and extensive experience with internal controls evaluation, COSO, COBIT, ITIL, ITGCC, GLBA audits, and ISO, SOX 404 compliance requirements, including all phases of planning, evaluation, documentation, testing and remediation.