Web security oversights: Don’t overlook the “small” stuff

I was reviewing the most recent SANS @RISK Consensus Security Vulnerability Alert and it reminded me of how easy it is to get caught up in the big stuff and overlook the seemingly innocuous when performing Web security assessments.
The @RISK alert lists 69 unique Web-related flaws across numerous platforms. The flaws run the gamut from cross-site scripting to SQL injection to directory traversal to local file inclusion. Sure, some – perhaps many – of these issues are likely not a big deal in the grand scheme of things. But do you know for sure?
One thing I’ve seen over the years is people performing – or scoping for – assessments of their main (often external-facing) Web sites and applications and stopping there. After all, the “less important” sites and applications don’t really house anything of value. Combine that with the fact that many of these systems are only accessible via the internal network where, supposedly, no one’s going to exploit them?
Don’t get me wrong. I’ll be the first guy to recommend that you focus on your most urgent vulnerabilities present in your most important systems. Many organizations have yet to begin to reach that level of security insight and maturity. And unless and until they do, then focusing on the (continue reading...)