How important is web application security in the overall scheme of things?
Web application security is quite important. More than saying web application security, let us ask what does not run on HTTP. Any application that uses the Hyper Text Transfer Protocol for example mobile applications with their backend in the cloud, all kinds of devices that run a web site to manage it such as your home router require security. Nowadays people are adding web servers to everything. and we use them for our banking, government services, research, and communication directly on the web or something, which uses web in the backend. Therefore, it is big, and ideally, all of it needs to be secure.
How aware do you believe are organizations and individuals when it comes to the importance of web application security?
Awareness is relative. Both organizations and individuals are more aware compared to before. The question is about the degree of awareness. Whilst more and more folks would agree that web application security is important, a lot of us do not have an idea how trivial it is for attackers to compromise insecure web applications, how trivial it is for the attackers to steal data.
While organizations do spend time, effort and hence money on teaching their developers and testers in aspects of web application security, I still find many who do not realize that their casual approach can cause massive damage in technical terms or even business impact.
Many of my peers at null open security community who are professional testers of applications rub their hands in glee when they come across web applications that need to be tested. Web sites are their favourite point of attack and developers have not really kept pace with defects, which can have security implications.
How is attacking a web application different from attacking a computer?
The biggest difference is what we call the attack surface. When you have a server running a website, there is a clear attack surface which means that I know that a web server is always available. The website needs to be constantly running on the same port and the domain name will not change. Therefore, an attacker has time to understand what is running on the website, what kind of web pages are present and is there either an opportunity to attack the site directly or the server running it.
On a desktop or a laptop, things are different. We are usually not in the same network all the time. We also have different browsing habits and unless and until we are running a constant service, the attacker does not have target. What they do have is that most regular folks are not up to date with security updates are more likely to click on unknown software installers or try to get some software free, which could lead to the compromise of their system.
What previous knowledge is required to study web application security?
You need to be comfortable using a Web Browser. You need to a very basic idea about the TCP/IP stack and a very basic idea about HTTP the main protocol, which enables all web traffic. A rudimentary knowledge of programming, while knowing what is function, what are parameters helps immensely as well.
Again, studying can mean many things but what I have mentioned here will help you get started.
0 Comments