Web application contingency plans – the missing link in Web security?

Why are Web applications out of the loop when it comes to contingency planning? Look at any given security incident response or disaster recovery plan (assuming they even exist) and chances are business critical Web applications and related systems are missing. At least that’s what I’m seeing.
So let me get this straight, Web applications are 1) front and center in most businesses’ Internet presence and IT operations, 2) often have multiple holes that can be exploited for ill-gotten gains, and 3) would likely impact the bottom line if they became unavailable for any given period of time. Yet network managers and security administrators continue to focus their efforts on the network infrastructure. If a breach occurs or an unplanned outage takes place, then by golly the network perimeter isn’t going anywhere. The VPN will stay live, critical internal servers will fail over as planned, and most certainly email’s not going away! Everything is good – well, almost everything.

But what about Web applications? With both external and internal components which would undoubtedly be affected during an incident or disaster are we just going to cross that bridge when we get there? Some may rebut this statement by claiming “Our applications are hosted by a third-party and they have a SAS 70 audit every year (continue reading...)