Imagine that a criminal has a choice to steal money from a vault in a small downtown shop or from a vault in the bank headquarters. Most criminals would go for the easy target. It is exactly the same for IT security. Websites and web applications are easy targets that often contain something that is worth stealing. And even if they do not contain anything valuable, they are like a bank customer service hall – an entry point to the vault.

Many systems that contain valuable information are internal systems. They are behind several firewalls and accessible only from within the company. Criminals can’t get to them easily. On the other hand, web applications are usually available publicly. Many companies do not realize that they need extra protection and care. This makes them a very lucrative and easy target so they are often the first thing that criminals try to get into.

Albert FengAlbert Feng

What are the main risks that businesses face when their web applications are targeted by criminals?

Risks associated with web presence compromise are exactly the same as in case of any other cyber-attacks. For example, if the web application processes financial information, criminals can use it to steal from the company or its customers. If not, criminals can first compromise the web application and then break into other systems.

Even if nothing is stolen, targeted businesses risk losing their reputation. If an attack is successful and public, the business may appear unsafe to its customers. This can happen for example if the website is defaced.

If criminals target the company’s customers, it’s even worse. Personal data from a compromised web application can be used for identity theft. Such indirect losses may have devastating effects on the business.

Some businesses opt for firewalls, SSL and hardened networks to prevent hackers from targeting their web applications. How effective are such tools?

Simply put, trying to protect your website using only a firewall, SSL and a hardened network is like making sure that your house door has five locks but leaving the window open. All these measures are very effective but against completely different types of attacks. Your business should certainly use them, but not only them.

Firewalls are tools that make it impossible for an attacker to connect to some of your internal services. Websites and web applications are available publicly. You cannot limit access to them, so a firewall is completely useless.

Hardened networks include systems that perform very specific functions. They are easier to secure against certain attacks. This may make it harder for an attacker to access other systems, but has no effect on the safety of a web application.

SSL/TLS makes your connections encrypted. It protects you against eavesdropping and forgery but it does not protect you at all against most web vulnerabilities.

Should web application security be integrated from the start?

Web application security should be treated as an integral part of every security policy straight from the start. This means that websites and web applications should be secured when they are being built not when they are published.

Trying to protect your website using only a firewall, SSL and a hardened network is like making sure that your house door has five locks but leaving the window open

Some businesses believe that you can just verify the security of the website when it is up. If you find an error at that stage, it often takes days or weeks to correct the error. You must first develop the fix, then test it, then put it on a staging environment, and only then on your production system. During all that time, criminals may attack your assets.

You should integrate website security within your development lifecycle to protect your web application at an early stage. This will not only save you a lot of resources but greatly reduce risks. A security issue will never make it to a system that is actually vulnerable to attacks.

What advantages does a vulnerability scanner present?

A vulnerability scan secures your website or web application against known types of threats. Of course, there is always a risk that criminals will develop a method that is not yet known to any scanners.

If you have a web presence, you should treat a vulnerability scanner with as much importance as the antivirus. You should not perceive it just as an advantage, but as a necessity. Of course, everything that a vulnerability scanner does can be done manually but that would require a lot more resources and time.

What vulnerabilities would such a scanner target?

A web vulnerability scanner targets specific types of vulnerabilities. It is not a replacement for a firewall, an antivirus, a network vulnerability scanner, or an intrusion detection and prevention system. It complements the set – it detects critical issues that other systems will completely miss.

To protect your website or web application, a scanner must be able to scan web applications independent of the technologies that they use. It must also be very thorough. It cannot just check for most common errors but must also be able to verify indirect issues. This includes situations when a criminal leaves malicious code on your website and it affects users who visit the website later.

A very important aspect of any security system is not to trigger false alarms. If you keep getting false alarms, also called false positives, you lose trust in the system and become less wary. For example, imagine that you have a fire alarm test every day at your office. After a couple of weeks, when there is a real fire, you will not get out of the office in time.

What level of automation does a vulnerability scanner afford?

Again, the best way to answer this question is to compare a web vulnerability scanner to an antivirus. If you want to make sure that the computers in your company are safe, you could hire dozens of people. These employees would download virus signatures and manually test every file on every system. But why do that if it can be done automatically?

Many businesses still believe that the best way to protect against web threats is to hire penetration testers. They employ the testers to meticulously check every website and web application using tools such as Metasploit. A much better solution is to first use an automatic vulnerability scanner. This way, your security experts can focus on more important matters. If you do not feel completely secure with an automatic tool, they may do spot checks or double-check vulnerabilities that the scanner reports.

Does a vulnerability scanner also offer advantages within a blockchain environment?

Every couple of days we can read news about a cryptocurrency exchange that was broken into. With more and more people investing in cryptocurrencies, they become a very lucrative target. When blockchain becomes commonly used for other purposes, we can expect even more interest from criminals.

The blockchain technology itself is very safe because it is a cryptographic technology that is decentralised. That is why it is often called a digital fortress. As much as everyone wishes this was true, the fortress may have high walls and a moat but the bridge is unguarded and the gates are wide open.

The problem is that interfaces to that technology are often centralized. This makes them vulnerable to attacks. Most such interfaces are web interfaces and they are often not protected well enough. Therefore, if you have a blockchain-related website but you don’t check it for vulnerabilities, it is like leaving your downtown shop door open for the night. Even if there is nothing worth stealing, someone will most certainly enter it, party, and make a huge mess.

For more information visit

Independent journalism costs money. Support Times of Malta for the price of a coffee.

Support Us