IT complexity in today’s businesses has increased drastically and businesses no longer have one core system providing all the required business functions. It is not unusual for businesses to be using four or more business applications for their day-to-day operations.

In a web-enabled environment, businesses need to protect these systems from external malicious attackers that exploit security weaknesses to gain unauthorised access to systems and data. Protection from authorised internal users who escalate their assigned privilege levels within the application to perform actions beyond their assigned rights is also needed. Many organisations only fight these threats by preventing intrusion over the network layer. However, these controls do not secure the application layer. What can be done by a user who has access to a web application?

Attackers follow the path of least resistance and a web application provides a much larger canvas for an attacker to work on. Not only could attackers access confidential information but they could also obtain some of the company’s intellectual property.

Loss of information could lead to customer distrust, undermining a reputation and tarnishing the corporate image. What can one do to minimise the risk of compromise through web applications?

Businesses should ensure that security processes are built into the software development life cycle for any developed applications and minimum security requirements should always feature in requirements specification documents used during system acquisition. In addition, a proper change and patch management process should be followed to ensure that, once a system is in place, the secure state is maintained. Raising awareness among your end user group and educating the respective IT teams is a must.

Incidents will happen and when they do, make sure that you are prepared. A proper incident management process can go a long way in this regard. However, the only way to know whether the preventive measures are good enough is to test them by performing periodic penetration testing and targeted web application security assessments.

There is no better way to assess your security effort than to ask an independent third party to simulate an attack and attempt to defeat the defences put in place in your web applications or underlying infrastructure.

The risk of malicious attack comes with any venture onto the web, no matter how small. The differentiator between a successful online presence and an unsuccessful one might come down to whether the business has identified, assessed and mitigated the web-related risks.

PwC provides penetration testing services and web-application security assessments as part of its advisory services portfolio to a wide range of clients in many business sectors. To further discuss these services or other cyber security matters, contact PwC on malta.technology@mt.pwc.com.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.