Session management. Another factor one should consider when developing a security risk management plan is that many Web applications do a poor job of managing unique user sessions. This can include using weak authentication methods, poor cookie management, failure to create session timeouts, and other session weaknesses. This often leads to session hijacking and other compromises of legitimate user identities. A security risk assessment can determine whether this is a potential problem for your organization.
Maintenance. Failure to implement security risk management policies that keep Web servers updated with the latest vendor patches, as well as neglecting to perform continued testing of proprietary Web applications, creates additional risk.
All of these major problems usually are the result of a lack of due care within the Web application development and maintenance processes. In organizations where security is not “baked in” to both the business planning and application development processes, there can be an appalling lack of awareness of the need to incorporate security best practices from day one. This is a dangerous situation, and the results of the general lack of awareness about the risks associated with Web servers and applications are evident from the weekly headlines reporting stolen consumer and corporate information.
The best way to avoid such disasters is to establish an ongoing security risk management process that begins with quantifying the value of Web applications, as well as the data they manage, through a complete security risk assessment. Organizations then must continuously identify and mitigate the vulnerabilities and risks associated with those systems from the beginning and throughout their lifecycle: from development through production.
This approach to security risk management—consistently performing a security risk assessment, then identifying and remedying vulnerabilities by correcting application development errors, applying security patches, and fixing system misconfigurations—will lead organizations to continuous improvement of their business-technology infrastructure and a thorough reduction of risk.