With websites and now Web applications, there is no perimeter when it comes to security.
That’s the conclusion of a paper that will be delivered at the Black Hat USA 2010 conference this week by Neil Daswani, CTO and cofounder of Dasient.
Dasient makes what the company calls an Anti-Malvertising solution that monitors sites and applications for malware infestations in real time. Once discovered, the Dasient service then quarantines that malware to prevent it from spreading further.
According to Daswani, companies that build websites and Web applications are so dependent these days on third-party modules running on any number of servers distributed across the Web that there is no such thing as an actual perimeter to defend. Instead, a new approach to security at the application level is required to effectively defend companies from malware threats targeting applications and the sites they run on.
Managers of websites have been dealing with security issues related to third-party modules for a while. But the phenomenon is relatively new in terms of creating borderless Web applications. As these applications become more integrated with other Web applications, the likelihood that security is going to be compromised increases exponentially.
According to a survey conducted by Dasient, security issues that IT organizations are trying to cope with include:
75 percent of websites rely on external Javacript widgets.
42 percent of websites display external advertisements.
91 percent of websites are running at least one outdated Web application.
The issue that many IT organizations struggle with is that a huge percentage of the security budget is dedicated to securing the network perimeter, rather than securing the applications. The challenge, noted Daswani, is for IT organizations to realize that malware providers have shifted their primary focus away from the network perimeter and the Windows operating system in favor of Web applications that are easier to exploit.
And until developers make Web applications fundamentally more secure, Daswani notes that the massive amount of software running on websites and Web servers will become the primary means via which malware is distributed across the enterprise and the Web as a whole.