Web application security is a topic which is often talked about, but sacrificed during the course of software development. With deadlines and budget to meet, many software development companies are forced to cut corners, and web application security is the first casualty.
Do you really need to be worried about security?
Most business owners also often do not give enough attention to this detail, preferring to focus on features and interface, as they are the tangible outputs that can be marketed or sold. The most common beliefs that lead the business owners into such decisions are
We're too small for them to notice us.
We will do it later.
We will buy an SSL Certificate and everything will be secure.
We are using this popular software - thousands of people use it, so it must be safe, right ?
Hackers are too clever, there's nothing we can do about it.
Most hackers use automated tools to find vulnerable sites
Most hackers these days use automated tools to search for and exploit common weaknesses(called vulnerabilities) in a website. The scanning and target selection in this case are random and en-masse rather than specific, so if your website/application is on the internet, you're a potential target. The scanning tool won't discriminate between a large and a small business.
Application security is a habit, not an afterthought
To make an application secure, due care needs to be given towards it during the development phase itself, because unless secure coding is followed as a habit while developing, it becomes far more costly and cumbersome to plug the holes afterwards.
The chain is as strong as the weakest link
The most common technique of a hacker to defeat security measures is not to break it, but to circumvent it, or find another way. The situation is comparable to installing a super safe lock on the front gate, while leaving a large rear window open. Application security cannot be achieved through installation or using a single product or software. Application security is achieved through depth, or layers of defensive measures to protect the site or the application from various situations and techniques. If one layer fails, or is weak, the entire application is threatened.
Do not have blind faith, investigate and be aware
Contrary to the common belief, many well known software in the market, open source or otherwise, are routinely found to have security vulnerabilities, either in the basic installation, or via usage of community developed plugins and add-ons. While major software providers regularly release patches to protect against threats once they are discovered, many plugin authors do not, leaving the users who blindly installed them to get this snazzy feature on their website ready in minutes, vulnerable.
Case in point: Wordpress
Wordpress is one of the most popular CMS software in the world, powering hundreds of thousands of websites. However, unless properly configured and updated regularly with the latest patches, most default wordpress installations are unsafe and can be easily broken into.
There are websites where known vulnerabilities of wordpress and its plugins are published to make people aware, e.g.https://wpvulndb.com/, but very few development companies or business owners follow these sites to update the installation and ensure that the addon plugins are safe, often taking an install-and-forget approach, and this can be costly.
Case in point: Adobe's massive data leak
In October 2013, Adobe reported a massive user data leak, which affected about 38 million users, with the users' data dump being readily available on torrent sites. Initially, it was assumed that the leak was of encrypted user records, but it was discovered later, that Adobe had made some basic cryptographic blunders, for example, using un-salted password encryption to store the passwords, allowing many user passwords to be revealed. You can see a detailed analysis of the breach in this article by naked security.