Think about this: If organizations are employing a "defense-in-depth" approach to Web security, why are their Web servers still getting hacked? Most e-businesses place their Web servers inside a DMZ, a firewalled buffer zone between the untrusted Internet and trusted private network. Companies may even harden the Web server and monitor inbound packets with a network-based IDS. And yet, their Web site still gets defaced. What gives?
The answer is simple: Attackers don't target the strong points of the network; they go straight for the weakest link, which in many architectures is the Web app itself. Beyond the ever-present threat of Web defacements, unchecked vulnerabilities in Web servers such as Microsoft's IIS, Netscape's iPlanet and the open-source Apache are often exploited as a means of gaining access to higher-value assets inside the private network.
[ Read more ]
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.