When we talk about information security, we are mostly concerned about IT-infrastructure security and about 90 per cent of our budget goes into firewalls and intrusion detection or prevention devices. Then we implement security policies.

Most of us overlook the software we use. It can also be the point of attack or even a tool for attackers. Insecure Web-application software provided on the Internet may create vulnerabilities that are welcomed by threat agents who attack your site, exploit your information and impact your business.

The Open Web Application Security Project (OWASP) (www.owasp.org) updates the top 10 application security risks and identifies the most serious risks for a broad array of organisations. It picks up the top 3 risks to explain the attack methods employed and possible resulting business impacts.

At the top of the list is injection. Attackers try to send simple texts that exploit the syntax of a targeted interpreter, such as SQL queries or OS commands on the servers. Consider the business value of the affected data: all data may be stolen, modified or deleted. This can impact your reputation. To prevent injection, your software must keep untrusted data separate from commands and queries.

The second security risk is cross-site scripting (XSS). Instead of trying to send text-based scripts to attack the server, attackers try to exploit the interpreter in the browser in order to execute scripts in a victim browser to hijack user sessions, redirect users, send user information to other sites, and so on. Consider how this risk could impact the business value of the affected system and all the data it processes, and also the business impact of public exposure of the vulnerability. To prevent XSS, you have to ensure that your software keeps untrusted data separate from active browser contents.

The third one is broken authentication and session management. Attackers use leaks or flaws in the authentication or session management functions, such as exposed accounts, passwords or session IDs, to impersonate users. Such flaws may allow some or even all accounts to be attacked.

Once successful, the attacker can do anything the victim can do. Privileged accounts are frequently targeted. This risk could impact your business in the same way as cross-site scripting. To prevent attackers from using this technique, the developers of the software must use a single set of strong authentication and session-management controls and also make strong efforts to avoid cross-site scripting flaws which can be used to steal session IDs.

The top 3 risks demonstrate attacks at application level, where security devices like firewalls or intrusion detection and protection systems cannot offer protection or even detect or identify threats to the system. Developers should learn about these risks and prevent exposure at the point of software development. Executives should also start thinking about how to manage the risks that software applications purchased from vendors can create in their enterprises.

Narudom Roongsiriwong is a certified information security-systems professional who is senior architect at security printing firm Chanwanich and a member of the OWASP Thailand Chapter.