A new software development company, 403 Web Security, is offering to assist companies of all sizes to find and repair vulnerabilities on existing sites and to build new secure Websites.
A software development firm has spun
off a new company that is devoted to secure Web application development with
the goal of helping enterprises secure their Websites from external attacks.
As a subsidiary of WDDinc, 403 Web
Security will help customers develop and maintain secure Web-based applications
to prevent attacks, WDDinc officials said on April 26. Now 403 Web
Security will evaluate Web applications, audit source code and help fix
existing security vulnerabilities, Alan Wlasuk, managing partner of the
spinoff, told eWEEK.
Any Website, regardless of size or type
of business, can be attacked, according to Wlasuk. The attackers may target
cross-site scripting flaws, launch SQL injection exploits or chain several
flaws together for a complex attack, Wlasuk said.
"Because most Websites are created
solely based on visual appeal, most are vulnerable to security flaws-exposing
the company site and sensitive information to hackers," Wlasuk said.
For customers concerned about the
security of their existing Web applications, such as an e-commerce site or an
intranet portal, 403's security team will conduct a complementary Website
security audit and offer a consultation to discuss the vulnerabilities that had
been identified, according to Wlasuk. During the consultation, the team will also
offer insight on how to fix the problems or offer remediation services.
If the company is still in the planning
or development phase and hasn't launched the application yet, 403 can develop
the site. "Our focus is on security," Wlasuk said.
403 Web Security will be targeting
primarily midsize or small organizations that can't afford the "big guys" to
audit their systems. "We are not looking for banks like Chase," Wlasuk said.
The company will also be targeting colleges and other educational institutions,
since they acquire and collect large volumes of data.
Several companies offer automated
scanners that purport to find security flaws in Websites so that organizations
can fix them. McAfee's Secure scanner is one of them, regularly scanning
customer Websites looking for "hacker vulnerabilities," and alerting the
customer to potential security holes.
What 403 Web Security does is more
in-depth than what a scanner can provide, since "an automated scanner is not
going to find everything," Wlasuk said. The team will be looking at the
existing environment to ensure that the back-end systems are secured properly
while performing thorough code reviews as part of its audit.
The company has the tools and
capabilities to perform penetration testing, and it can incorporate those
skills into Website development, Wlasuk said.
It doesn't mean an organization's
developers aren't good at their jobs, but that they generally have not been
trained to think about Web application security, Wlasuk said. If an organization
is using some kind of a content management system, there may be security
vulnerabilities that the in-house developers are not even aware of. Smaller and
midsize enterprises may not have the resources on hand to focus on security
during development or the budget to hire a third-party firm to audit the Web
application, according to Wlasuk.
The company will maintain an ongoing
relationship with its customers to periodically audit the site to ensure it's
still secure. Web security "changes quickly," whether it's because of new
exploits or vulnerabilities or because a single change somewhere in the
application had a cascading effect on a different part of the site. Wlasuk hopes
403 will eventually become a "staple for Web security" for companies.
Organizations both large and small are
frequently targeted. Oracle's Sun.com
were recently hit
by blind SQL injection attacks. Ethical hackers uncovered multiple security flaws in McAfee.com
403's goal is to help organizations get
Web security right from the beginning of the development cycle, Wlasuk