Experts warn that firms are mishandling web security

Protecting the network means nothing if applications are vulnerable, warns consultancy

Experts have warned that many firms are failing to address security flaws in bespoke web applications, and said that skill shortages and current design and development processes are adding to the problem.

Enterprise security is largely focused on protecting the network and operating system with measures such as firewalls and intrusion detection, but this may count for little if web applications sitting on top of this are unstable, argued Dan Norris-Jones, co-founder of internet consultancy firm Priocept.

He explained to IT Week that web applications by their very nature have to allow the general public to access them and so openings in the network through to the web application have to be created. However, this means that the overall system is only as secure as the web application itself, and so code level analysis is essential to ensure they are secure and free of vulnerabilities, he added.

"The industry is missing the point here," he argued. "It is all very well [for an enterprise] having hundreds of firewalls, but if its website contains flaws everything else is irrelevant, and there have been some high profile examples of poor quality custom software development in the past."

IT managers must ensure their teams are more thorough in designing and architecting web-based solutions, and he predicted that code-level auditing agencies would become more popular in providing firms with a "second pair of eyes" to verify code.

"The move to less formalised development processes like Agile is great for the client in being more responsive to their needs, but something has to be done to [ensure more formal] and careful planning," he added.

Norris-Jones recognised that web technology is still relatively immature and therefore has a limited amount of skilled resources, but suggested that a formalised professional qualification for software architects could help to drive up standards.

In separate news, many small and medium sized businesses are vulnerable to potential attacks on their networks because they are failing to patch their software as soon as patches are released, according to new research by ISP intY. But nearly half are still put off using an application service provider (ASP) model to help manage patching and applications, the survey found.

Many firms are concerned about the reliability of the internet link between their business and the ISP where the application server is usually located, explained inty's founder Mark Herbert. But a hosted service offers firms a range of benefits including greater flexibility, lower overheads and automatic patch deployment, he added.