Many myths and even distortions inhabit, as one might say, the corporate imaginary concerning Internet security, increasing the incidence of vulnerabilities and reducing defenses against attacks. This happens because myths tend to minimize risks; giving a false feeling of security, either through some new “miracle” technology, or by the lack of problem visibility, thus lowering companies’ safeguard measures against impending threats.

As it is fairly obvious, the internet has become the main focal point of  convergence of corporate systems, integrating transactions with partners, suppliers, customers and investors in the same electronic channel. According to Pingdom website, internet users worldwide totaled 2.4 billion in 2012.

With so many users using information systems within a public network, the security for web applications has established itself for real as one of the main items on the information security managers´ agenda. In addition, considering the current complexity of IT systems, including the  dissemination of distributed computing in the cloud, “big data”, composition of distributed services and the need for the implementation of corporate governance, it is increasingly necessary to eliminate the myths that negatively contribute to the successful applications’ protection.

We list and describe below the six most recurrent myths that weaken the link of percepting security:

1. The developer will always provide me with secure systems

Any web application, from the simplest chat service to a complex package management corporate resources package, necessarily passes through the stages of development and maintenance. In these phases, the activities of creating and changing the source code prioritize functional requirements and application performance. It is a myth to think that developers could be spending all their time to produce snippets of source code free of security flaws. Many flaws would be resolved if the web application was tested properly during these stages or before being put into production.

2. Only specialists know how to exploit vulnerabilities in Web Application

With the wide range of sites that publish open source tools to test vulnerabilities, any user with a computer connected to the Internet can be a potential threat vector. Nowadays the attacks require less technical knowledge and have part of their complexity hidden by sophisticated tools that automatically perform stepby-step instructions to exploit a security flaw. To think that you are protected by the obscurity or the lack of knowledge about the vulnerability is a serious mistake.

3. Flaws in internal applications are not so important

In a recent study conducted by Carnegie Mellow University in conjunction with the Department of Homeland Security, researchers detected that internal attacks are the most successful ones in the financial segment. In most of the studied cases, the time for initial detection of internal fraud exceeds 32 months. This means that the over-reliance on internal environment makes people less conscious about dangers and applications are developed using less secure methods, either using inadequate controls or showing lack of interest in eliminating vulnerabilities. Remember: internal applications are those that store the most valuable business’ data, being more susceptible to disgruntled employees, service providers or even criminals infiltrated into corporations.

4. Firewall protects us from all external attacks

Even having reached commercial maturity since the late 90s, the firewalls are not preventing the increase of the statistics of worldwide attacks. Obviously, something is wrong in this defense strategy. Technologies for perimeter protection are essential for any strategy for security management – after all, it is the sustaining basis of layered defense plan. On the other hand, the attacks are increasingly targeted to business functionality, masqueraded as legitimate transactions whose final goal is to explore a particular vulnerability in the application. It is, therefore, a myth widespread in corporations.

5. Hacking-proof seals does not shield your site

Despite the security seals have had the role of introducing the discussion of web applications’ protection at all layers of the company’s business, they have often been used to replace a deeper work in correcting application vulnerabilities. “Shield” seals against attacks end up having the same effect as a plate of “beware of dog” at the door of your home. The myth must be fought with a follow-up work of the life cycle of the applications, including periodic security testing in business functionality, in order to produce satisfactory effects of protection for your web applications.

6. My website is secure because it uses SSL and data encryption

This myth is one of the most frequent at corporate business’ areas. Using data encryption, SSL or such “safety lock” function on your browser only ensures that data will be transmitted from the application to the web browser with a low risk of being intercepted. The real trouble spot is what the application or user makes to the data after they have been transmitted, and to protect themselves from this risk, the “lock” is completely harmless. At the same way from the myth mentioned earlier, the only effective way to protect your web application is to anticipate the detection and correction of vulnerabilities before some malicious user decides to take advantage of these.

Knowing the main security myths and understanding the impact of ignoring them are already quite efficient tools to prevent attacks on web applications. By doing so, we can adopt a more proactive and less reactive attitude,  allying technology and methodology to protect these systems. And keep in mind that information security is a transitory state, which can only be guaranteed through the continuity of processes and activities that aim to maintain appropriate levels of protection, either for a small business or a large corporation.

Thiago Zaninotti, CISSP-ISSAP, CSSLP, CISM, has master’s degree in computer engineering at the Technological Research Institute of São Paulo (IPT), is founder and CTO of N-Stalker.