The hazards associated with desktop and web-based apps are numerous. These include dangers including data loss, unauthorized access, malware and virus infections, and program outages. Each form of application, however, carries its own set of risks.
Desktop apps, for instance, are more susceptible to data loss than web-based ones. This is so that they won’t be lost if the user’s computer is broken or stolen because desktop apps are normally stored locally on the user’s machine. Contrarily, web-based apps are often saved on a remote server, making them less likely to be lost in the event of a computer malfunction.
Additionally, desktop programs are more susceptible to malware and viruses than web-based apps. This is due to the fact that desktop apps are frequently downloaded and installed on users’ computers, providing malware and viruses with an entry point for infection. On the other hand, web-based apps are often accessed through a web browser, which adds an extra layer of security against malware and viruses.
Hi Frank, great explanation around how desktop applications are more susceptible to malware and viruses. However, I would still want to highlight overall Web applications are more exposed to potential threats than desktop applications. Further, when all data is located in the cloud and accessible through web application, the risk of significant information leaks increases.
Both Desktop and web-based applications are vulnerable to access control flaws, buffer overflows, SQL injection attacks. The main reason that makes the system vulnerable to these vulnerabilities is input validation. When input validation is not maintained properly in the applications it leads to a successful attack for an attacker and attacker can steal information, disrupt service or delete the information.
Script Injection and XSS Injection attacker occurs only on web-based applications in which attacker is able to insert scripting commands into the client’s web request. As per SANS, almost all the web pages exhibit some kind of XSS vulnerability.
SANS mentioned that it is possible to mitigate the risk to a great extent by employing good design principles.
Good point,Also desktop programs are more susceptible to outages than web-based ones. This is due to the fact that desktop apps are frequently hosted on a single server, making them unavailable in the event of a server failure. On the other hand, web-based apps are frequently housed on numerous servers, so even if one of them fails, the program will still be accessible on the other servers.
Hi Frank, I agree with you that Desktop application are frequently hosted on a single server but as per my experience and knowledge organizations use to maintain the HA and DR environment to maintain availability of the service to the users.
Application security is all about protection from external threats such as cyber criminals, who look to exploit vulnerabilities to gain access to restricted data and networks. Desktop or Web Applications that are compromised can threaten our personal information or sensitive business data, causing loss of money, time, customers, reputation and more. The purpose of securing desktop and web applications is to protect them against such types of security risks.
Man-in-the-middle, XSS, DDoS are most common attacks (yet unique to desktop application risks) performed on web applications for data breach or even crashing the application completely. Viruses or malware are most common risks to desktop applications. They can come through flaws in the program’s design, through an infected device or even by downloading or accessing something infected on the internet.
Moreover, in case of a theft of device where the application is installed, there is a chance of completely losing the data. Whereas in case of web application, there is still a hope of data retrieval.
Hi Aayush, the point that malware could spread through downloading an infected file from the internet highlights the importance of not just a secure application but also a secure and trusted source of the application. Thanks for bring that up!
Good Point Aayush! In addition to protecting desktop and web application from security risks, viruses and malware are the most prevalent since they are built into programs when you access or download something from the internet that is infected. Once on your computer, these can spread swiftly to your apps and across your network.
Common/shared risks –
Both are vulnerable to access misconfigurations, insecure program libraries and codes, buffer overflow attack, race conditions, data leakage.
Different/unique risks –
A desktop application is more vulnerable to hardware or operating system failures rendering the application unavailable where as a web based application can be built to have resiliency. The program is not entirely unavailable if the end-user’s desktop suffers a hardware failure.
Desktop applications are unlikely to be impacted by network problems such as performance degradation, downtimes, insufficient capacity. These problems however have an impact on web applications.
Desktop applications are not exposed to network based application attacks such as XSS, CSRF, injection attacks, etc. They are also not impacted by DNS spoofing, DDoS, typo squatting and MITM attacks.
Some of the common or shared risk faced by desktop applications versus web-based applications are exposures through access control and probable manipulation. They both are also susceptible to data breaches from hackers. SANS explains various weaknesses in the security infrastructure include race situations, format strings, buffer overflows, SQL injections, script injection, and access control. Desk-top applications are subject to several distinct or particular hazards, including those posed by viruses, malware, and infection vulnerabilities.
For instance, viruses and malware are the most prevalent since they are built into programs when you access or download something from the internet that is infected. Once on your computer, these can spread swiftly to your apps and across your network. On the other hand, because they are less secure and open to everyone via the internet, web-based apps are considerably more exposed to possible risks. Since every business done online runs the risk of a security breach, it is a fact that many web app sites receive a lot of traffic on a regular basis. It is unknown, however, whether the vendor has the right security measures in place.
I like the example you provided about viruses and malware. I think it explained the difference between desktop and web applications very well. Is it extremely pertinent to remember that when applications are put on your computer, information can be spread across the network.
A web-based applications service is a program configured and installed on a remote server, whose services can be availed using a browser and network access. A desktop application on the other hand is a software program created to run on a computer system with and without internet access.
Web-based applications offer the advantage of cross-platform compatibility and there is no need for downloading and installation. Desktop applications are beneficial in terms cost-efficiency and better privacy.
Shared/common risks between web-based applications and desktop applications
Both can have human errors and access control errors
Unique web-based applications risks
Man-in-the-middle attacks, XSS, DDoS, and SQL injection, format strings, buffer overflows
Risks unique to desktop application
Malware and viruses
Hi Shadrack,
Desktop applications are also at risk of buffer overflows. In addition, desktop applications are limited by the configuration of the hardware. If the personal electronic device is stolen, the data stored in the desktop application will be at risk of being unable to be recovered.
Hi Wei! Thanks for emphasizing that desktop applications are also at risk of buffer overflows. A great practice to prevent this vulnerability will be to keep devices patched.
Both desktop and web applications have faced common/shared risks that include hacking, data breach, access control, buffer overflow, command injection, security misconfiguration, etc..
Desktop applications are exposed to security issues in the storage of data. The hardware storing the data (theft, damage, etc. physical security risks) or operating system failure means that the data is very difficult to recover. In addition, social engineering is also a source of risk. Crackers typically contact users by phone, claiming to be from IT departments or large IT companies, trying to gain access to users’ computers through remote desktop applications or by tricking users into downloading desktop malware that can bypass network security protocols.
Web-based applications are exposed to attacks such as XSS, CSRF, DNS spoofing, DDoS, and Man-in-the-middle(MITM). XXS can collect important data by injecting code into web server-side scripts / maliciously executing user-side scripts, etc. DoS attacks and DDoS attacks can cause web servers to become overwhelmed and crash, then users would struggle in the situation that the network and website cannot be used.
Desktop applications are computer programs, such as Microsoft Word and Excel, that run locally on computer devices such as a desktop or laptop. Web-based applications require an Internet connection to work correctly.
Both desktop applications and Web-based applications are at risk of access control and buffer overflow attacks. Web-based applications are at risk of network disconnection due to limited network connections. Desktop applications are limited by the hardware requirements of the device on which they run. Some applications may require more stringent hardware configuration to download. In addition, desktop applications are more vulnerable to viruses because they download software locally. Desktop applications also need to be updated or upgraded or face the risk of bugs, whereas web-logged applications do not have this concern.
As you mentioned, one of the differences between desktop applications and web-based applications is whether information resources are shared, which directly affects their unique risks respectively. Thus, hardware security and network stability are indeed significant security risks.
Desktop Application:
Any software that may be installed on a single computer (laptop or desktop) and used to carry out certain duties is referred to as a desktop application. In a networked setting, several users can also use some desktop apps. However, due to portability issues and superior usability features, web application development soon began to replace desktop programs.
Web-based Applications:
Web browsers are typically used as the client interface for client-server architecture web application development. This is one of the factors contributing to the widespread popularity of web applications. Although online applications have a modest edge over desktop applications, desktop applications have a very slim possibility of becoming obsolete.
Maintenance: Web-based apps only require a single installation, whereas desktop applications require separate installations on each machine. Additionally, updating desktop apps is difficult because it must be done on each and every computer, which is not the case with online applications.
Security: Compared to desktop programs, web apps are more vulnerable to security issues. The independent programs can be completely under your control and secured against numerous weaknesses. This might not be the case with web applications because they are accessible to a huge number of Internet users, increasing the threat.
Unique for desktop apps:
– Command/shell injection
Unique for web-based apps:
– XML injection
In general desktop applications that are not connected to the Internet are the safest as long as the physical security is maintained and the software is patched regularly
XML allows an attacker to interfere with an application’s processing of XML data. XML vulnerabilities occur because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.
Almost all applications these says have at least one vulnerability or misconfiguration that affects security. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe .”This really just points out that, [while] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult.” The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example. Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys’s Kelly, “These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production,” he says.
The hazards associated with desktop and web-based apps are numerous. These include dangers including data loss, unauthorized access, malware and virus infections, and program outages. Each form of application, however, carries its own set of risks.
Desktop apps, for instance, are more susceptible to data loss than web-based ones. This is so that they won’t be lost if the user’s computer is broken or stolen because desktop apps are normally stored locally on the user’s machine. Contrarily, web-based apps are often saved on a remote server, making them less likely to be lost in the event of a computer malfunction.
Additionally, desktop programs are more susceptible to malware and viruses than web-based apps. This is due to the fact that desktop apps are frequently downloaded and installed on users’ computers, providing malware and viruses with an entry point for infection. On the other hand, web-based apps are often accessed through a web browser, which adds an extra layer of security against malware and viruses.
Hi Frank, great explanation around how desktop applications are more susceptible to malware and viruses. However, I would still want to highlight overall Web applications are more exposed to potential threats than desktop applications. Further, when all data is located in the cloud and accessible through web application, the risk of significant information leaks increases.
Both Desktop and web-based applications are vulnerable to access control flaws, buffer overflows, SQL injection attacks. The main reason that makes the system vulnerable to these vulnerabilities is input validation. When input validation is not maintained properly in the applications it leads to a successful attack for an attacker and attacker can steal information, disrupt service or delete the information.
Script Injection and XSS Injection attacker occurs only on web-based applications in which attacker is able to insert scripting commands into the client’s web request. As per SANS, almost all the web pages exhibit some kind of XSS vulnerability.
SANS mentioned that it is possible to mitigate the risk to a great extent by employing good design principles.
Good point,Also desktop programs are more susceptible to outages than web-based ones. This is due to the fact that desktop apps are frequently hosted on a single server, making them unavailable in the event of a server failure. On the other hand, web-based apps are frequently housed on numerous servers, so even if one of them fails, the program will still be accessible on the other servers.
Hi Frank, I agree with you that Desktop application are frequently hosted on a single server but as per my experience and knowledge organizations use to maintain the HA and DR environment to maintain availability of the service to the users.
Application security is all about protection from external threats such as cyber criminals, who look to exploit vulnerabilities to gain access to restricted data and networks. Desktop or Web Applications that are compromised can threaten our personal information or sensitive business data, causing loss of money, time, customers, reputation and more. The purpose of securing desktop and web applications is to protect them against such types of security risks.
Man-in-the-middle, XSS, DDoS are most common attacks (yet unique to desktop application risks) performed on web applications for data breach or even crashing the application completely. Viruses or malware are most common risks to desktop applications. They can come through flaws in the program’s design, through an infected device or even by downloading or accessing something infected on the internet.
Moreover, in case of a theft of device where the application is installed, there is a chance of completely losing the data. Whereas in case of web application, there is still a hope of data retrieval.
Hi Aayush, the point that malware could spread through downloading an infected file from the internet highlights the importance of not just a secure application but also a secure and trusted source of the application. Thanks for bring that up!
Good Point Aayush! In addition to protecting desktop and web application from security risks, viruses and malware are the most prevalent since they are built into programs when you access or download something from the internet that is infected. Once on your computer, these can spread swiftly to your apps and across your network.
Common/shared risks –
Both are vulnerable to access misconfigurations, insecure program libraries and codes, buffer overflow attack, race conditions, data leakage.
Different/unique risks –
A desktop application is more vulnerable to hardware or operating system failures rendering the application unavailable where as a web based application can be built to have resiliency. The program is not entirely unavailable if the end-user’s desktop suffers a hardware failure.
Desktop applications are unlikely to be impacted by network problems such as performance degradation, downtimes, insufficient capacity. These problems however have an impact on web applications.
Desktop applications are not exposed to network based application attacks such as XSS, CSRF, injection attacks, etc. They are also not impacted by DNS spoofing, DDoS, typo squatting and MITM attacks.
Hi Nishant,
Thank you for mentioning network problems which affects the web applications on their performance.
Some of the common or shared risk faced by desktop applications versus web-based applications are exposures through access control and probable manipulation. They both are also susceptible to data breaches from hackers. SANS explains various weaknesses in the security infrastructure include race situations, format strings, buffer overflows, SQL injections, script injection, and access control. Desk-top applications are subject to several distinct or particular hazards, including those posed by viruses, malware, and infection vulnerabilities.
For instance, viruses and malware are the most prevalent since they are built into programs when you access or download something from the internet that is infected. Once on your computer, these can spread swiftly to your apps and across your network. On the other hand, because they are less secure and open to everyone via the internet, web-based apps are considerably more exposed to possible risks. Since every business done online runs the risk of a security breach, it is a fact that many web app sites receive a lot of traffic on a regular basis. It is unknown, however, whether the vendor has the right security measures in place.
HI Maryln,
I like the example you provided about viruses and malware. I think it explained the difference between desktop and web applications very well. Is it extremely pertinent to remember that when applications are put on your computer, information can be spread across the network.
A web-based applications service is a program configured and installed on a remote server, whose services can be availed using a browser and network access. A desktop application on the other hand is a software program created to run on a computer system with and without internet access.
Web-based applications offer the advantage of cross-platform compatibility and there is no need for downloading and installation. Desktop applications are beneficial in terms cost-efficiency and better privacy.
Shared/common risks between web-based applications and desktop applications
Both can have human errors and access control errors
Unique web-based applications risks
Man-in-the-middle attacks, XSS, DDoS, and SQL injection, format strings, buffer overflows
Risks unique to desktop application
Malware and viruses
Hi Shadrack,
Desktop applications are also at risk of buffer overflows. In addition, desktop applications are limited by the configuration of the hardware. If the personal electronic device is stolen, the data stored in the desktop application will be at risk of being unable to be recovered.
Hi Wei! Thanks for emphasizing that desktop applications are also at risk of buffer overflows. A great practice to prevent this vulnerability will be to keep devices patched.
Both desktop and web applications have faced common/shared risks that include hacking, data breach, access control, buffer overflow, command injection, security misconfiguration, etc..
Desktop applications are exposed to security issues in the storage of data. The hardware storing the data (theft, damage, etc. physical security risks) or operating system failure means that the data is very difficult to recover. In addition, social engineering is also a source of risk. Crackers typically contact users by phone, claiming to be from IT departments or large IT companies, trying to gain access to users’ computers through remote desktop applications or by tricking users into downloading desktop malware that can bypass network security protocols.
Web-based applications are exposed to attacks such as XSS, CSRF, DNS spoofing, DDoS, and Man-in-the-middle(MITM). XXS can collect important data by injecting code into web server-side scripts / maliciously executing user-side scripts, etc. DoS attacks and DDoS attacks can cause web servers to become overwhelmed and crash, then users would struggle in the situation that the network and website cannot be used.
Desktop applications are computer programs, such as Microsoft Word and Excel, that run locally on computer devices such as a desktop or laptop. Web-based applications require an Internet connection to work correctly.
Both desktop applications and Web-based applications are at risk of access control and buffer overflow attacks. Web-based applications are at risk of network disconnection due to limited network connections. Desktop applications are limited by the hardware requirements of the device on which they run. Some applications may require more stringent hardware configuration to download. In addition, desktop applications are more vulnerable to viruses because they download software locally. Desktop applications also need to be updated or upgraded or face the risk of bugs, whereas web-logged applications do not have this concern.
Hi Wei,
As you mentioned, one of the differences between desktop applications and web-based applications is whether information resources are shared, which directly affects their unique risks respectively. Thus, hardware security and network stability are indeed significant security risks.
Desktop Application:
Any software that may be installed on a single computer (laptop or desktop) and used to carry out certain duties is referred to as a desktop application. In a networked setting, several users can also use some desktop apps. However, due to portability issues and superior usability features, web application development soon began to replace desktop programs.
Web-based Applications:
Web browsers are typically used as the client interface for client-server architecture web application development. This is one of the factors contributing to the widespread popularity of web applications. Although online applications have a modest edge over desktop applications, desktop applications have a very slim possibility of becoming obsolete.
Maintenance: Web-based apps only require a single installation, whereas desktop applications require separate installations on each machine. Additionally, updating desktop apps is difficult because it must be done on each and every computer, which is not the case with online applications.
Security: Compared to desktop programs, web apps are more vulnerable to security issues. The independent programs can be completely under your control and secured against numerous weaknesses. This might not be the case with web applications because they are accessible to a huge number of Internet users, increasing the threat.
Shared risks:
– Buffer overflow
– SQL injection
– Access control flaws
Unique for desktop apps:
– Command/shell injection
Unique for web-based apps:
– XML injection
In general desktop applications that are not connected to the Internet are the safest as long as the physical security is maintained and the software is patched regularly
XML allows an attacker to interfere with an application’s processing of XML data. XML vulnerabilities occur because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.
https://www.darkreading.com/application-security/misconfigurations-vulnerabilities-found-in-95-of-applications
Almost all applications these says have at least one vulnerability or misconfiguration that affects security. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe .”This really just points out that, [while] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult.” The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example. Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys’s Kelly, “These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production,” he says.
Hi Asha ,
Thanks for sharing information about misconfiguration vulnerabilities.