Despite the talent and hard work of today's Java developers, enterprise Web and mobile applications may not be as secure as they should be. More than ever before, Java developers are code ninjas and mobile application magicians. Java applications running on Android phones let us take care of our banking errands, wire money, send and receive emails, make purchases, keep tabs on our investments, schedule appointments, and even help us keep fit. We can run them just about anywhere. These apps are powerful and easy to use. They connect us to the world in ways that were impossible not so long ago.
Unfortunately, the developers that work so much power into such small devices may not be the best candidates for making sure that power stays in the right hands. According to Gardner's VP of security research, Ramon Krikken, enterprise application development could stand some improvement. He cites research from WhiteHat Security Inc. that implies it would take the banking industry (one of the most regulated and therefore best secured industries) over thirteen months to patch 90% of the flaws that exist in their applications.
Krikken suggests mitigating security risks with a Web app firewall (WAF):
A WAF is an appliance or server software add-on that can monitor and block traffic to and from applications. They have become common in many enterprises, especially those that must comply with the Payment Card Industry Data Security Standard (PCI DSS), which calls for either use of a WAF or frequent application code reviews.
“I’m usually the last one to recommend – if you have a problem – throwing a piece of technology at it or putting something in front of it and filtering it, because it’s a good idea to build secure applications right from the start,” Krikken said, “but you can’t do that with all applications.”
“I have an increasing number of customers starting to question whether putting a Web application firewall in front of an application to fix something is all that much worse than fixing the code.”
What do you think about securing Java Web applications. Is a WAF firewall appliance or add-on security server a valid strategy? Do developers need to bake security into Web applications? Is this potentially a growth area for new Web developers? Leave us a comment to let us know what you think.