Web Application Security - Perspectives

The link above is a link to Secunia, which tracks security issues for many products.

Interpreting the data is definitely subjective, for the following reasons:

  • If an application is constantly being tested and reviewed for security issues, problems will be found more quickly.
  • Applications with reports of many issues may simply be tested better than others.
  • Applications which are very popular will also have a greater presence, as this implies greater testing.
  • Development teams that are very concientious and report issues frequently will cause a greater quantity of reports than more reserved teams.
  • Development teams that refrain from reporting security issues may consider that a valid approach, by reducing the information available for malicious users.
  • Some applications have fundamental issues that make them more vulnerable than others.

After reviewing the reports for an application, there are several courses of action.

  • Check if the application has been compromised on your server. Immediately apply any recommended upgrades or patches.
  • Review the application documentation and the site/forum for additional tips on securing the application.
  • Review any appropriate server security practices.
  • Determine the value of any data or content involved, with an eye toward the cost of replacement or porting to a different application. Be sure to include the cost of training, learning curve (both for users and developers), administration issues, etc.
  • Consider a web application firewall such as mod_security (http://modsecurity.org).
  • If you have sensitive data or ecommerce, consider a hosted solution.
  • Repeat

An application that can power multiple sites can greatly reduce maintenance.