The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

ISACA Guide Outlines Web Application Security Vulnerabilities and Strategies

Rolling Meadows, IL, USA (24 October 2011)—The use of web applications has soared recently, due to the significant value they can add to enterprises by providing innovative ways to interact with customers. However, along with the benefits of these capabilities come security vulnerabilities that create dangerous risk and exposure. ISACA, a global association of 95,000 IT security, assurance and governance professionals, has issued a new, free white paper, titled Web Application Security: Business and Risk Considerations, which outlines the causes of web application vulnerabilities, examines the associated risk and impacts, and provides advice to mitigate risk. The guidance applies to all types of software development activities.

New web applications are client-server based and platform independent, require less computing power, and can be seamlessly integrated with online resources and services. Their use can result in time and cost reduction of processes, increased customer satisfaction, and increased revenue. However, web application vulnerabilities open the door to the exploitation of sensitive corporate information, disruption of service and theft of intellectual property. Some common vulnerabilities identified in the white paper include:
•    SQL injection
•    Cross-site scripting
•    Insecure direct object reference
•    Information leakage
•    Insufficient anti-automation

“Even though we are seeing more and more web-based breaches reported, there is a large number that are never reported or even detected, and many enterprises do not yet take steps to address vulnerabilities,” said Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, chair of ISACA’s project development team. “Web applications must have security integrated every step of the way and ISACA offers specific guidance and detailed steps to do that.”

Included in Web Application Security: Business and Risk Considerations are the following strategies for addressing web application risk:
•    Security measures must be mandatory components that are included early in the process.
•    Programmers must be trained in secure coding techniques.
•    There must be a robust quality assurance process in place to enforce continuous, controlled quality testing.
•    Deployed applications must be continuously monitored for newly discovered vulnerabilities.
•    Decisive action must take place to address any vulnerabilities found.

“Enterprises can take advantage of the many benefits of web applications if they have a systematic approach,” said Rico. “These new technologies can be successfully integrated with caution, which can result in improved value and reputation, and increased support from the overall enterprise and stakeholders.”

Web Application Security: Business and Risk Considerations is available as a free download from Additional ISACA guidance on topics such as cloud computing, social media governance and mobile device security can be found at

With 95,000 constituents in 160 countries, ISACA® is a leading global provider of knowledge, certifications, community, advocacy, and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.