Web & Mobile App Vulnerabilities & Security Challenges: Can a Checklist Help? Posted on April 23, 2015 by Tim Burke As I pointed out in my last post, the web and mobile applications on which most business now depend are rife with security vulnerabilities. And it’s getting worse. Take a look: Web application security vulnerabilities increasing Rankings of web app vulnerabilities by type, 2013 vs 2014 (% of occurrence in apps) Source: HP Security Research Cyber Risk Report 2015 Comparing 2014 web & mobile app vulnerabilities By vulnerability type (% of occurrence in apps) Source: HP Security Research Cyber Risk Report 2015 Among the most pervasive web app threats are SQL injection and cross-site scripting — both well-known techniques; the first SQL injection occurred in 2002! Why app security is so tough: 4 reasons First, apps are often created quickly by multiple developers. Meeting deadlines and functionality goals while staying within budget too often short-shrifts web application security. App-building tools and capabilities were designed for far simpler environments. Like where HTTP and the web were 20 years ago. Using such old tools to create new functionality produces unanticipated vulnerabilities that may lie undiscovered for years. Security still gets short shrift in the IT budget. Ideally, both web application security and mobile app security should be considered essential components of software quality assurance, but too often it’s been overlooked. Web application security testing is not a one-off. New vulnerabilities can be introduced with every change in code or infrastructure. New malicious exploits can find ways to take advantage of vulnerabilities considered dormant. Effective web application security testing must be continuous. Where’s my web application security testing checklist? It’s tempting to address web application security generally and web application security testing in particular by finding a web application security testing checklist and having at it. But while engineers, fund managers, and pilots have been shown to perform better thanks to checklists, IT professionals tend to resist a one-size-fits-all web application security testing checklist for a couple of reasons: Apps are unique and dynamic, while generic checklists are often oversimplified. Since specific testing processes that work for one type of app may not be appropriate to other types of apps, effective security testing checklists must also be dynamic as well as updatable. Technologies evolve quickly and sometimes dramatically. App security checklists can go out-of-date just as quickly and dramatically. When it comes to testing app security, overworked IT professionals are better served with a carefully crafted set of security requirements tailored to the apps at hand. Creating such requirements and using them to test app security takes skill and expertise — and often is best handled by a knowledgeable security services provider with deep understanding of today’s quickly-evolving security landscape as well as experience in conducting web and mobile application security scanning and testing.