Hackers look for holes in hosted applications

Hosted enterprise software is not scrutinised by security researchers but may attract hackers

Hosted web applications could soon become a target for e-criminals as they gain in popularity among enterprise users, a security expert warned last week.

Marc Maiffret, co-founder and chief hacking officer of enterprise security specialist eEye, said that because hosted applications are run by a third party, research firms are not able to audit that software for vulnerabilities.

“The [developers] can be well-intentioned to write the most secure software possible but they will still miss things,” Maiffret argued. “With hosted applications the good guys, the researchers, can’t proactively go out and find fixes [for any flaws] but the bad guys are still out there, so there is an imbalance.”

Ross Brown, eEye’s chief operating officer, added that the nature of hosted services means that an attack’s impact would be significant. “Unlike on-premises products where every [enterprise] has a version, web services are centralised and monolithic, so if one gets compromised everyone is affected,” he said.

Meanwhile, Maiffret argued that many corporate networks are still inadequately secured, due to a lack of resources and training. “There is always a huge disconnect between how IT managers view the state of their network and the IT people, who know where they are lacking in resources,” he said. “These organisations often lack a clear understanding of whether or not the product of choice can successfully solve [their security problems] in a real-world environment.”