Focus on site security over style: Ovum
Web developers have placed too much importance on the look, speed and ease of access for websites and web applications, at the expense of writing secure code, according to a new report by analyst firm Ovum.
(Locked image by Ashley Good, CC2.0)
The Web Security report, authored by Ovum analyst Andy Kelley, claims that the breach of Sony and several financial institutions proves that even the most well-respected organisations can be compromised by hackers.
"Not enough importance has been placed on the requirement to write secure code and deliver a hardened infrastructure," Kelly wrote. "As a result, during the last three years, up to 70 per cent of the web's top 100 sites have either hosted malicious content, or have contained redirect facilities to illegitimate websites."
The report highlighted the consequences of having a poorly secured site. It said that by doing so organisations are opening themselves to risks, including financial loss, and outlined a need to improve security to shore up against other sites that have become infected.
The report states that some corporate websites are still easy to infect and represent soft targets for malware writers searching for services that can be manipulated to serve their own needs. Cross-site scripting and SQL injection flaws continue to be the key vulnerabilities that websites suffer from, despite the increased awareness around data security.
Ovum recommended a greater emphasis on secure code writing practices, code testing and penetration testing, regardless of the overheads, stating that these operations should be considered a prerequisite of doing business on the web.
To protect the business, the report recommends using real-time content scanning alongside reputation analysis, behavioural analysis and URL filtering, similar to Google's recent recommendation to take a multifaceted approach to detecting malware. The report also stated that the use of analytics will assist in detecting unknown, or zero-day threats, a philosophy also adopted by two-factor authentication company RSA.
However, securing corporate systems needn't be expensive. The report said that cloud-based security services will have an important role to play in the future. Cloud-based systems will have greater capacity to analyse larger traffic volumes and identify and respond to new threats in real time, the report said. It also said that organisations would benefit from the reduced overheads of a cloud-based system compared to similar on-premise software and associated infrastructure.