• Home
• Services
• Methodology
• About Watson Hall
• Security resources
• Contact

Organisations should take a holistic approach to web application security. Concentrating on having a security policy or strong perimeter defences can lead to a false sense of security. Watson Hall can help to assess, analyse and advise on the particular privacy and security issues associated with web applications, websites or e-commerce systems.

With internet systems, users and their devices need to be considered as well as your network and web, application and database servers when reviewing security. Security controls must be appropriate, affordable and acceptable - the triple-A (AAA) measure.

Security perimeter

Many solutions are aimed at implementing hard perimeter controls. Whilst these can be effective, taking a broader and deeper view is required for web application security where the application's scope could include users in the own offices, homes and communal places and on the move in trains, cars and the street.

At base

The desktop of your customers and staff needs to be protected. Anti virus and anti spyware software is becoming more complex to deal with the development of more sophisticated viruses and Trojans which can pass through your firewalls and other intrusion prevention systems. Hackers are having to be cleverer to ensure they are undetected for longer if they manage to gain access to a desktop machine, workstation or mobile device. The use of root kit techniques embedded software deep within the operating system and perform masking techniques which make them hard to identify and remove.

Email spam is growing more sophisticated using inline image to deliver the message rather than free text which can be analysed by anti-spam filters. Email with attached images also puts an increased load on your network and storage.

IP telephony - Voice over Internet Protocol (VoIP) - usage is expanding rapidly in the office and home environments and therefore this area is becoming a potentially profitable target for attack. These can potentially include viruses, Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks, charge fraud, lost and stolen data, eavesdropping, data sniffing and "man-in-the-middle" attacks, call redirection, malicious calling, VBombing and VoIP Spam, spoofing, phishing (vishing) or fake caller ID.

Do you allow users on your networks to access instant messaging, web mail and uncontrolled access to any website and downloads? Video sharing websites have trained users to allow inline display of downloads but these can contain malicious payloads like any other type of file.

Users of your online system need to be protected from as many risks as possible. But since you do not have control over their systems, raising security awareness reduces risk.

On the move

Other mobile devices such as PDAs and mobile phones now have their own operating systems and applications. Through push text messages or Bluetooth network connections, users can be duped into following hyperlinks to download Trojans. Smishing is the term for mobile device phishing.

Web applications which can be accessed or use such mobile devices as part of delivery or authentication increase the number of possible attack vectors. Users may be less aware of mobile risks and might consider doing something on their phone, which they would not risk on a personal computer.

In the cloud

Web applications have moved away from dedicated, stand-alone, systems located on dedicated physical servers. The cost arguments can be compelling but may not be suitable for all types of organisation. The cost of specialist architecture or security effort required to harden cloud-based systems can offset the benefits. Legal and contractual compliance issues may simply rule cloud architectures out.

Suppliers and partners

Your developers, content creators, hosting company, data feeds, payment gateway and other partner organisations may be critical elements in the sustainability of your web application, and thus your business. The information security risks associated with these external entities need to be understood, evaluated and mitigated or minimised.

Example approaches

Please review our case studies, security check lists and website security Top 10s to get a feel for our approach. Watson Hall has published a review of data retention requirements for some common business sectors.

Example projects

Web security services from Watson Hall

Information security policies, standards and procedures, web site and web application security assessments and audit and web security design and review.

Act now

Take a holistic approach to web application security. Contact Watson Hall to discuss assistance with assessing and minimising your web application security risks.