The biggest risk that web apps have over desktop apps is exposure. Web apps are put out on the internet where literally millions of people can access them 24/7. An attacker can have nearly unlimited attempts to attack a web application.
A desktop app, on the other hand is exposed in a way that a web app isn’t. Unlike the web app, it is only available to those that have access to the machine, but those that have access can see files and data that would be hidden deep inside the server of a web app. A desktop app can be copied and inspected with tools to deconstruct it.
I agree that exposure is the biggest risk as desktop applications do not necessarily have an internet connection to the outside world while web apps are available on the internet. On the contrary, however, the potential for offline attacks against a desktop application is also apparent as there is less potential for these attacks to be handled or detected in some way.
A commonality that comes to mind with desktop and web app risks is vulnerabilities. Both desktop apps and web apps are susceptible to vulnerabilities and therefore require patches. While web apps may face more vulnerabilities due to its presence on the world wide web. Desktop apps too require patching some more frequent than others depending on the nature/severity of the app. Another commonality that comes to mind is integrity. Desktops obviously have app integrity where you could compare the hash of the files. For web apps, url integrity is just as important. With threat actors leverage human error, typosquatting is a real issue. Some sites can look/feel identical to the real thing. A login page could virtually mirror your target app and once keyed in, captured and sold or used maliciously. Something they differ in when it comes to risk is internet connectivity. Now this is obviously not the case for all desktop apps but there are plenty of desktop apps that don’t require internet connectivity. Whereas, as web app will obviously need internet connectivity.
I like that you addressed patching as a risk to both desktop applications and web applications. I have seen both sides where the web application patching is typically out of control of the company and is a scheduled date or timeframe and you the user doesn’t have a choice. If not planned well, this can be a risk of not having resources available to do testing, if applicable prior to the patch getting pushed to all users. For desktop apps, when the company is in control of when patches will be pushed, sometimes the urgency isn’t there and patches aren’t done timely.
Hi Nicholas,
I agree with you a commonality between Web Apps and Desktop Apps is their susceptibility to vulnerabilities and having a good patch management system in place is the best way to reduce risk.
You bring up a good point with patching, Though one thing I would call out is that for a web app, it is generally faster and simpler to push a patch out, especially if you control the server it is hosted on. A hosted app can be patched behind the scenes and the users never notice. A desktop app needs to make a connection and get user approval before a patch can be applied, which is often disruptive to the user and can be put off or ignored.
Some common and shared risks with desktop applications and web applications are the following:
a. Data validation
b. Entry points for attackers
c. Common vulnerability: buffer overflow (memory does not adequate size/space)
d. Security
Some differences and unique risks are the following:
Desktop applications risks:
a. Security – network access (management of provisioning and deprovisioning access)
b. May require specific operating system
c. Not manageable without network/remote access
d. More maintenance time by in-house IT department
e. Different risks/vulnerabilities (malware, viruses, etc.)
f. Patching – timing is controlled by the company of when patches will be pushed, which in turn heavily relies on the IT department to keep up with timely patching
Web applications risk:
a. Cross-site scripting
b. Security – no network access needed because can access directly from web; provisioning/deprovisioning process is even more important
c. Typically don’t need a specific operating system
d. Manageable with internet access
e. New risks/vulnerabilities with web applications (SQL injections)
f. Patching – timing can’t be controlled (if vendor pushes a patch, they typically give a timeframe or exact date the patch will be pushed)
Desktop and web applications are subject to a host of security risks. Viruses, malware, is one of the most common risks to desktop apps. They can come in through flaws in the program’s design, through an infected peripheral device or even by downloading or accessing something infected on the internet. Once inside your computer, these can spread quickly to your apps and throughout your network.
Web application vulnerabilities involve a system flaw or weakness in a web-based application. They arise because web applications need to interact with multiple users across multiple networks, and that level of accessibility is easily taken advantage of by hackers. Common types of web application vulnerabilities include SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Session Fixation, Local File Inclusion (LFI), Security Misconfigurations. E.t.c
Both of them are vulnerable to injection based attacks such as root kits and boot kits for desktop applications and SQL injections for web applications. Each application is unique due to its underlying framework which each also presents its own risks such as scale of impact or code-specific vulnerabilities. Web based apps can potentially impact a large group of users based on a single attack while a desktop app attack can be isolated to a single user.
Hello Matthew,
I like your point about how web-based applications can potentially affect a group of users. If a company website is compromised, it means many users won’t to be able to perform their daily tasks.
Desktop applications can be used on standalone machines and because of internet and commerce web application became important. Desktop applications can be used for media players and word processors while web application can be used for shopping. Some of the common risk is that they could be affected by attackers and have vulnerabilities. For the desktop it could attacking a single user at a time but for web-based depending on the information you input it could attack multiple users at a time. You can have more control over standalone desktop but that may not be the case in the web-based application. In web based application there is more maintenance from time to time while for desktop based there is one time purchase and if something were to go wrong.
Hi Parmita,
I like that you pointed out that attacks on web-based applications can have multiple targets. Due to this, I believe there is also greater risk associated with web-based applications given the attacker’s reach in the event of a successful attack.
Common Shared Risks between desktop applications and web-based applications includes access control, buffer overflow attacks, security misconfiguration, SQL Injection, e.t.c.
Risks faced by desktop applications that are unique from web-based applications includes security issues with data storage, operating system failures and hardware.
Risks faced by web-based applications that are unique from desktop applications includes XSS injection and script injection
while more common on web based apps, XSS and injection type attacks are possible on desktop apps as well. Anything with an input box that interfaces with data storage is potentially susceptible if input is not properly sanitized and parameterized.
One common shared risk is access control flaws. Inadequate input validation can occur on both desktop and web apps if they fail to properly sanitize user input and, as such, can result in unsupported characters or potential SQL manipulation.
One risk specific to web applications is cross-site scripting as desktop applications as an adversary injects malicious code into a web application to create a cross-site scripting attack. Also, desktop applications do not necessarily need an internet connection to work and, as such, can result in other forms of offline attacks on an application.
The biggest difference between the two is their levels of exposure. Web-based applications are internet-facing, allowing anyone on the internet to launch an attack and potentially compromise a website given its vulnerabilities. A desktop app on the other hand is only to be accessed via more manageable channels given login/admin credentials or physical access. This doesn’t completely mitigate risk but makes it much more difficult to gain access.
Both types of applications are weak to injection techniques like a buffer overflow attack. Basically, an attacker injects input data too big for the application to store in allocated memory which ends up overwriting memory in other parts of the program. However, there are some application-dependent attacks like an XML injection attack. This is because this type of attack focuses on the XML of a web application. Malware is a desktop app attack, given these applications are stored locally, malicious code can be installed and run without the user knowing.
Computer security protects computer systems and networks from information disclosure and security risk. The two main applications involved are desktop software and web application. A desktop application is a piece of software designed to work with and without a browser on a computer system. Users must download and install them on the computer before using them. An application set up and installed on a remote server whose service can be accessed through a browser and network connection is a web application or web service. These programs are designed to run in browsers and do not need to be installed on the computer.
The web application speed may be slower than the desktop because internet outages can easily impair performance. Additionally, the browser only receives a portion of the machine’s processing power; if it has a low amount, then the web-based application will process slowly (Hamoda, 2022). On the other hand, web apps are frequently subjected to XSS attacks, DDoS attacks, and SQL injection to crash and compromise user privacy. As a result, the user must verify the security protocols a given solution uses; otherwise, data may easily be compromised. In order to deploy its required packages and related files, the desktop application requires more space in the hard disk and causes the system to load (Hamoda, 2022). In addition, if the drive installed is too small, the user may need to upgrade it to a larger capacity, raising the maintenance cost.
David Vanaman says
The biggest risk that web apps have over desktop apps is exposure. Web apps are put out on the internet where literally millions of people can access them 24/7. An attacker can have nearly unlimited attempts to attack a web application.
A desktop app, on the other hand is exposed in a way that a web app isn’t. Unlike the web app, it is only available to those that have access to the machine, but those that have access can see files and data that would be hidden deep inside the server of a web app. A desktop app can be copied and inspected with tools to deconstruct it.
Kenneth Saltisky says
Hi David,
I agree that exposure is the biggest risk as desktop applications do not necessarily have an internet connection to the outside world while web apps are available on the internet. On the contrary, however, the potential for offline attacks against a desktop application is also apparent as there is less potential for these attacks to be handled or detected in some way.
Nicholas Foster says
A commonality that comes to mind with desktop and web app risks is vulnerabilities. Both desktop apps and web apps are susceptible to vulnerabilities and therefore require patches. While web apps may face more vulnerabilities due to its presence on the world wide web. Desktop apps too require patching some more frequent than others depending on the nature/severity of the app. Another commonality that comes to mind is integrity. Desktops obviously have app integrity where you could compare the hash of the files. For web apps, url integrity is just as important. With threat actors leverage human error, typosquatting is a real issue. Some sites can look/feel identical to the real thing. A login page could virtually mirror your target app and once keyed in, captured and sold or used maliciously. Something they differ in when it comes to risk is internet connectivity. Now this is obviously not the case for all desktop apps but there are plenty of desktop apps that don’t require internet connectivity. Whereas, as web app will obviously need internet connectivity.
Jill Brummer says
I like that you addressed patching as a risk to both desktop applications and web applications. I have seen both sides where the web application patching is typically out of control of the company and is a scheduled date or timeframe and you the user doesn’t have a choice. If not planned well, this can be a risk of not having resources available to do testing, if applicable prior to the patch getting pushed to all users. For desktop apps, when the company is in control of when patches will be pushed, sometimes the urgency isn’t there and patches aren’t done timely.
Abayomi Aiyedebinu says
Hi Nicholas,
I agree with you a commonality between Web Apps and Desktop Apps is their susceptibility to vulnerabilities and having a good patch management system in place is the best way to reduce risk.
David Vanaman says
You bring up a good point with patching, Though one thing I would call out is that for a web app, it is generally faster and simpler to push a patch out, especially if you control the server it is hosted on. A hosted app can be patched behind the scenes and the users never notice. A desktop app needs to make a connection and get user approval before a patch can be applied, which is often disruptive to the user and can be put off or ignored.
Jill Brummer says
Some common and shared risks with desktop applications and web applications are the following:
a. Data validation
b. Entry points for attackers
c. Common vulnerability: buffer overflow (memory does not adequate size/space)
d. Security
Some differences and unique risks are the following:
Desktop applications risks:
a. Security – network access (management of provisioning and deprovisioning access)
b. May require specific operating system
c. Not manageable without network/remote access
d. More maintenance time by in-house IT department
e. Different risks/vulnerabilities (malware, viruses, etc.)
f. Patching – timing is controlled by the company of when patches will be pushed, which in turn heavily relies on the IT department to keep up with timely patching
Web applications risk:
a. Cross-site scripting
b. Security – no network access needed because can access directly from web; provisioning/deprovisioning process is even more important
c. Typically don’t need a specific operating system
d. Manageable with internet access
e. New risks/vulnerabilities with web applications (SQL injections)
f. Patching – timing can’t be controlled (if vendor pushes a patch, they typically give a timeframe or exact date the patch will be pushed)
Shepherd Shenjere says
Hello Jill,
I agree with you. Desktop applications requires much more maintenance depending on how the end-users are operating them
Abayomi Aiyedebinu says
Desktop and web applications are subject to a host of security risks. Viruses, malware, is one of the most common risks to desktop apps. They can come in through flaws in the program’s design, through an infected peripheral device or even by downloading or accessing something infected on the internet. Once inside your computer, these can spread quickly to your apps and throughout your network.
Web application vulnerabilities involve a system flaw or weakness in a web-based application. They arise because web applications need to interact with multiple users across multiple networks, and that level of accessibility is easily taken advantage of by hackers. Common types of web application vulnerabilities include SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Session Fixation, Local File Inclusion (LFI), Security Misconfigurations. E.t.c
Matthew Stasiak says
Both of them are vulnerable to injection based attacks such as root kits and boot kits for desktop applications and SQL injections for web applications. Each application is unique due to its underlying framework which each also presents its own risks such as scale of impact or code-specific vulnerabilities. Web based apps can potentially impact a large group of users based on a single attack while a desktop app attack can be isolated to a single user.
Shepherd Shenjere says
Hello Matthew,
I like your point about how web-based applications can potentially affect a group of users. If a company website is compromised, it means many users won’t to be able to perform their daily tasks.
Parmita Patel says
Desktop applications can be used on standalone machines and because of internet and commerce web application became important. Desktop applications can be used for media players and word processors while web application can be used for shopping. Some of the common risk is that they could be affected by attackers and have vulnerabilities. For the desktop it could attacking a single user at a time but for web-based depending on the information you input it could attack multiple users at a time. You can have more control over standalone desktop but that may not be the case in the web-based application. In web based application there is more maintenance from time to time while for desktop based there is one time purchase and if something were to go wrong.
Maxwell ODonnell says
Hi Parmita,
I like that you pointed out that attacks on web-based applications can have multiple targets. Due to this, I believe there is also greater risk associated with web-based applications given the attacker’s reach in the event of a successful attack.
Shepherd Shenjere says
Common Shared Risks between desktop applications and web-based applications includes access control, buffer overflow attacks, security misconfiguration, SQL Injection, e.t.c.
Risks faced by desktop applications that are unique from web-based applications includes security issues with data storage, operating system failures and hardware.
Risks faced by web-based applications that are unique from desktop applications includes XSS injection and script injection
David Vanaman says
while more common on web based apps, XSS and injection type attacks are possible on desktop apps as well. Anything with an input box that interfaces with data storage is potentially susceptible if input is not properly sanitized and parameterized.
Kenneth Saltisky says
One common shared risk is access control flaws. Inadequate input validation can occur on both desktop and web apps if they fail to properly sanitize user input and, as such, can result in unsupported characters or potential SQL manipulation.
One risk specific to web applications is cross-site scripting as desktop applications as an adversary injects malicious code into a web application to create a cross-site scripting attack. Also, desktop applications do not necessarily need an internet connection to work and, as such, can result in other forms of offline attacks on an application.
Maxwell ODonnell says
The biggest difference between the two is their levels of exposure. Web-based applications are internet-facing, allowing anyone on the internet to launch an attack and potentially compromise a website given its vulnerabilities. A desktop app on the other hand is only to be accessed via more manageable channels given login/admin credentials or physical access. This doesn’t completely mitigate risk but makes it much more difficult to gain access.
Both types of applications are weak to injection techniques like a buffer overflow attack. Basically, an attacker injects input data too big for the application to store in allocated memory which ends up overwriting memory in other parts of the program. However, there are some application-dependent attacks like an XML injection attack. This is because this type of attack focuses on the XML of a web application. Malware is a desktop app attack, given these applications are stored locally, malicious code can be installed and run without the user knowing.
Samuel Omotosho says
Computer security protects computer systems and networks from information disclosure and security risk. The two main applications involved are desktop software and web application. A desktop application is a piece of software designed to work with and without a browser on a computer system. Users must download and install them on the computer before using them. An application set up and installed on a remote server whose service can be accessed through a browser and network connection is a web application or web service. These programs are designed to run in browsers and do not need to be installed on the computer.
The web application speed may be slower than the desktop because internet outages can easily impair performance. Additionally, the browser only receives a portion of the machine’s processing power; if it has a low amount, then the web-based application will process slowly (Hamoda, 2022). On the other hand, web apps are frequently subjected to XSS attacks, DDoS attacks, and SQL injection to crash and compromise user privacy. As a result, the user must verify the security protocols a given solution uses; otherwise, data may easily be compromised. In order to deploy its required packages and related files, the desktop application requires more space in the hard disk and causes the system to load (Hamoda, 2022). In addition, if the drive installed is too small, the user may need to upgrade it to a larger capacity, raising the maintenance cost.