I’m sorry to be the one to break this to you, but, well, your company network is compromised. I know, I know, you thought you had firewalls and antivirus and Dropbox is blocked but somehow the nasties got in. Unfortunately that also means that all the web apps you have behind your corporate firewall are, for all intents and purposes, now public.
Now you may not even be aware of the hacked state of the network you spend your nine to five hours in, many of these intrusions go entirely undetected. Even when they are
detected, it’s the sort of thing that organisations like to keep pretty quiet so unless you have an integral role in organisational security then the chances are you’re never going to hear about 99% of these incidents. Rightly or wrongly, this gives people the warm and fuzzies: they feel safe and sound ensconced within the confines of their company network believing that everything on the inside is super secure.
It’s a serious conundrum, the whole idea that just because something sits inside the corporate firewall that it has achieved some sort of position of security greatness that allows people to take shortcuts on application security. The “private” network has become the security blanket
of the web app world; yes, it will give you a warm glow having it present, but will it really keep the bad guys away? And for that matter, does the perception of security provided at the network perimeter lead developers to take shortcuts in the design of “internal” applications? I say it does – but it shouldn’t. Let me explain why.