After the discussion about my last post and my omission of appsec, I wanted to make up for it not being in the list. Certainly, application security is important and as pointed out, I should have added it to the list of primary concerns for organizations.
By now, I hope everyone understands that attacks like SQL injection, cross-site scripting and the rest of the OWASP top 10 can have devastating effects. Often, when these vulnerabilities come into play, data loss soon follows. Sometimes, the attacker is able to gain direct access to the data targets they are seeking. For example, if SQL injection grants them access to a database that contains credit card information or identity data, then the initial compromise may be all that the attacker needs to obtain their goal.
But, even when the initial compromise does not directly yield them the data they seek, the initial SQL injection compromise often allows them access to and/or control over other systems and components. They then use a variety of technologies and techniques (from keylogging to sniffing and from pivot attacks to trojans) to leverage the initial problem into the compromise of the data they seek. In many cases, the attackers prove themselves to be both creative and patient as they slowly crawl towards their goals.
Even if your site does not have the targets they want, the SQL injection can be quite damaging for your organization. Not only do you have the compromise itself, but quite often, the application or web server with the vulnerability is manipulated to propagate malware that infects the visitors to your site, turning their machines into victims as well. As a client recently told me, “You don’t want to have to explain to upper management why your web site is responsible for infecting your customer’s computers with a virus. It is not really good for your career.”
These are just a few of the reasons that your organizations should take web application security seriously. If you have some more you would like to share, please leave a comment below.