New App Development Spinoff to Audit Websites for Security Loopholes
A software development firm has spun off a new company that is devoted to secure Web application development with the goal of helping enterprises secure their Websites from external attacks.
As a subsidiary of WDDinc, 403 Web Security will help customers develop and maintain secure Web-based applications to prevent attacks, WDDinc officials said on April 26. Now 403 Web Security will evaluate Web applications, audit source code and help fix existing security vulnerabilities, Alan Wlasuk, managing partner of the spinoff, told eWEEK.
Any Website, regardless of size or type of business, can be attacked, according to Wlasuk. The attackers may target cross-site scripting flaws, launch SQL injection exploits or chain several flaws together for a complex attack, Wlasuk said.
"Because most Websites are created solely based on visual appeal, most are vulnerable to security flaws-exposing the company site and sensitive information to hackers," Wlasuk said.
For customers concerned about the security of their existing Web applications, such as an e-commerce site or an intranet portal, 403's security team will conduct a complementary Website security audit and offer a consultation to discuss the vulnerabilities that had been identified, according to Wlasuk. During the consultation, the team will also offer insight on how to fix the problems or offer remediation services.
If the company is still in the planning or development phase and hasn't launched the application yet, 403 can develop the site. "Our focus is on security," Wlasuk said.
403 Web Security will be targeting primarily midsize or small organizations that can't afford the "big guys" to audit their systems. "We are not looking for banks like Chase," Wlasuk said. The company will also be targeting colleges and other educational institutions, since they acquire and collect large volumes of data.
Several companies offer automated scanners that purport to find security flaws in Websites so that organizations can fix them. McAfee's Secure scanner is one of them, regularly scanning customer Websites looking for "hacker vulnerabilities," and alerting the customer to potential security holes.
What 403 Web Security does is more in-depth than what a scanner can provide, since "an automated scanner is not going to find everything," Wlasuk said. The team will be looking at the existing environment to ensure that the back-end systems are secured properly while performing thorough code reviews as part of its audit.
The company has the tools and capabilities to perform penetration testing, and it can incorporate those skills into Website development, Wlasuk said.
It doesn't mean an organization's developers aren't good at their jobs, but that they generally have not been trained to think about Web application security, Wlasuk said. If an organization is using some kind of a content management system, there may be security vulnerabilities that the in-house developers are not even aware of. Smaller and midsize enterprises may not have the resources on hand to focus on security during development or the budget to hire a third-party firm to audit the Web application, according to Wlasuk.
The company will maintain an ongoing relationship with its customers to periodically audit the site to ensure it's still secure. Web security "changes quickly," whether it's because of new exploits or vulnerabilities or because a single change somewhere in the application had a cascading effect on a different part of the site. Wlasuk hopes 403 will eventually become a "staple for Web security" for companies.
Organizations both large and small are frequently targeted. Oracle's Sun.com and MySQL.com were recently hit by blind SQL injection attacks. Ethical hackers uncovered multiple security flaws in McAfee.com and Java.com.
403's goal is to help organizations get Web security right from the beginning of the development cycle, Wlasuk said.