For a shared risk, both desktop and web based applications can be vulnerable to injection-based threats. Specifically, script injection in desktop applications can be used to interrupt or modify the purpose of an application, amongst other possibly malicious activities. Similarly, XML and SQL injection attacks can compromise data transfer or even allow attackers to access and view data maintained by the application exchanges for their own use.
Conversely the nature of desktop vs web applications inherently creates a difference of offline vs online access, as the name implies. Desktop applications, for the most part, can be used offline with no need for an internet connection, and as such, risks posed by the attacks themselves may be far more localized to the user or application that has been compromised, be that via malware, spyware, etc. Online applications, on the other hand, are theoretically only privy to the information in the web session itself and do not have broader access to things such as encrypted data on a local device. This leads to different methods of attack, such as phishing, website re-directs, scareware and key logging
XML, SQL injection attacks etc. are all new terminology to me never really knew the risk involved in them until I read more in the SANS readings this week, what stood out for me, coming from an admin background was who is accessing what and how is that controlled. Like you pointed out though a lot of it is contingent on a reliable internet source and both come with different forms of risk that all come down to user knowledge.
In harmony with Jeff, XML and SQL injection attacks are new to me and has forced me to go research what they are and understand how they can cause harm in both desktop and web based applications.
I can get paranoid so I do a lot of my work locally saving it on my data to my local drive. So I am partial to working offline because of security reasons, but in recent years I have been somewhat forced to the cloud as I have had my drives fail. Thank you the detailed review.
It’s essential to examine, dissect and comprehend the prevalent risks common to both desktop and web-based applications, as well as the divergent and unique challenges each type of application experiences.
While both platforms share certain risks, such as susceptibility to malicious software attacks, data breaches, usability issues, and potential for user error, they also encounter separate, individual risks.
Desktop applications operate in a more isolated environment making security breaches less likely, but are at a higher risk for hardware compatibility issues and difficulties with software updates. Moreover, the lack of centralized control could cause incongruities among users.
Web-based applications, on the flip side, grapple with difficulties linked to Internet connectivity. They also face a greater threat in terms of network security due to their reliance on the Internet, making them an easier target for cyber threats from all over the world. Again, web-based applications grapple with risks such as server downtime, cross-browser compatibility issues, and the inherent vulnerability to web-based threats like cross-site scripting or SQL injection attacks
Good point about desktop apps. While not always the case, I generally operate on the premise that desktop apps that are downloaded pose more of an “offline” risk to the device. That is to say, as long as the device has power, they may be able to cause issues for the user regardless of if they are connected to the internet or not. This is a big issue, since at that point the only way to mitigate or negate the risk would be to either completely wipe the device or never use it again following its infection by the malware or virus
Ikenna, your description is definitely well-rounded. Desktop applications, operating in a relatively isolated environment, indeed face reduced susceptibility to security breaches. On the other hand, web-based applications confront issues tied to Internet connectivity, exposing them to a heightened risk of network security threats. The dependence on the Internet makes them more susceptible to cyber threats.
In the context of this discourse, I would opine that the examination, dissection, and comprehension of risks inherent to both desktop and web-based applications is an essential endeavor due to their disparate and unique challenges each one experiences. While both platforms share common risks, such as susceptibility to malicious software attacks, data breaches, usability problems, and the potential for user errors, they also face individual, platform-specific risks.
Desktop applications are characterized by operating in a more isolated environment, which decreases the likelihood of security breaches. However, they grapple with issues associated with hardware compatibility and software updates while the lack of centralized control could foster user incongruities. Conversely, web-based applications are burdened with the task of Internet connectivity, resulting in a plethora of network security threats due to their reliance on the Internet, which makes them an attractive target for cybercriminals globally.
Furthermore, web-based applications encounter unique risks that include server downtime, cross-browser compatibility, and an increased vulnerability to web-based threats such as cross-site scripting or SQL injection attacks. Both desktop, as well as web-based applications, come with their own sets of challenges and opportunities. Identifying and understanding these risks contribute to making informed decisions about application deployment strategies which can effectively manage and reduce risks associated with their use.
Desktop and web-based applications share common risks such as security vulnerabilities, data breaches, and user authentication concerns. Both face challenges related to input validation, privacy, quality assurance, and compliance. However, desktop applications may encounter specific issues with deployment, updates, compatibility, and installation security. On the other hand, web-based applications contend with cross-browser compatibility, network dependency, client-side security, browser policies, and scalability challenges. Developers must address these shared and unique risks through robust security measures, thorough testing, and adherence to best practices to ensure the overall reliability, functionality, and security of their applications.
The description is exactly on target, you might want to get a little more specific.
More specifically a few other items to consider are a buffer overflow attack. This is when an application does not perform adequate size checking on the input data, the web based reliance on the internet makes them a soft target for cybercriminals they stay connected to the internet.
Your explanation was simply to read, I appreciate that, Alot of the specific technical topics covered in this week went over my head as I’ve never encountered or had to read on these topics before. What stood out for me the most was input validation and access control, it’s all about who is accessing what then move on to what are they specifically doing and what guidelines, practices etc. are they following.
I definitely agree with you that there were a lot of topics that felt like they flew over my head. I’m a visualized learner so I have to imagine how these attacks happen, the architecture of an organization, what the attack affects, etc. What I had to do to really make it stick was watch YouTube videos since they’re able to provide a visualization on how these attacks occur.
A shared risk between web applications and desktop applications is a buffer overflow attack. This is when an application does not perform adequate size checking on the input data, therefore leading to memory space being overwritten. A risk that is unique to a web-based application is a SQL injection. It can result in confidential data being deleted, lost, or stolen. A risk that is unique to desktop applications is malware, due to the applications being installed locally. It leaves the user susceptible for malicious code to be run and installed on their system.
I agree that web-based applications are often challenged by concerns related to Internet connectivity and elevated network security risks, stemming from their dependence on the Internet. This exposes them to a wider scope of global cyber threats. Furthermore, they are constantly contending with server downtime, cross-browser compatibility discrepancies, and intrinsic susceptibility to web-native threats like cross-site scripting and SQL injection attacks. Their reliance on the internet makes them a soft target for cybercriminals from all over the world as long as they stayed connected to the internet.
Web-based applications refer to programs accessed through a browser, delivered to your device from a server without installation on your machine(client). Contrarily, desktop applications are downloaded and installed locally, operating without internet connectivity. They must be developed and installed for a specific operating system and may have strict hardware requirements that must meet to ensure they function correctly.
Both types of applications face common risks, such as XSS (Cross-Site Scripting) and other malicious attacks that could compromise access to the application. Web-based applications represent a more modern approach to application delivery, while desktop applications adhere to a more traditional model.
Web applications inherently face higher security risks due to their design aimed at increased accessibility. Conversely, desktop applications boast superior authorization and administrators enjoy better control, resulting in enhanced security. Additionally, web applications heavily depend on internet connectivity for operation, while desktop applications rely solely on user access.
Chidi, your comparison of risks between web-based and desktop applications shows their distinct security landscapes. It’s interesting how the design differences contribute to varying vulnerabilities. Given the evolving threat landscape, how do you foresee the future of security measures adapting to address the specific challenges posed by web-based applications, and do you think there will be a convergence of security approaches between the two application types?
Desktops are limited to tangible machines as data is stored on said machine locally vs web based can be accessed anywhere IF you have an internet connection which can pose more of a security risk as data can be accessed, stored etc. from anywhere there is a connection. They both share a common risk which is access control. Who and how are these systems validating and authenticating these users? There can be flaws in the access control management on both ends. According to SANS, “One of the main reasons that can cause Access Control issues is the inadequate input validation. As described in the secure programming practices input validation is on the most significant sources of vulnerabilities in applications”. These vulnerabilities are all suggested via SANS and are caused mainly due to bad programming practices. Web based application provide an anywhere anytime access to their applications which impose a bigger security risk as they also can be access via many devices over the internet while a desktop application is more on the local end and require less security and have less ownership issues.
One unique feature of Desktop applications is that they are generally considered to be more secure than web applications. Desktop applications are usually run individually or more like stand-alone and only have limited users, making them less accessible to hackers. However, web applications can have the following security risks:
SQL injections
Configuration FAILURE
Network vulnerabilities
integrity of software and data failure
The common/shared security risks faced by desktop and web-based applications are injections, poor code quality and insecure communication which caters to MiTM attacks. Desktop applications can use XML to save configuration files/data, scripting templates, use databases, render HTML content, and provide functionality using system calls in the background. This leaves desktop apps vulnerable to XML, SQL, HTML, Script, and OS command injection attacks. This is very similar to web applications where XSS and SQL injection prevail. Poor code quality in desktop applications can be exploited through reverse engineering tactics while web applications are prone to exploitation through overlooked input validation. An attacker can sniff communication between an application and remote service on both desktop and web-based applications. Similar to web services and applications, desktop applications can facilitate communication attacks through usage of insecure version of protocols, obsolete protocols, unencrypted database connections, not using tunnels for plaintext protocols, and using self-signed certificates instead of CA signed certificates. If a desktop application uses web API/microservices, all relevant web-based attacks are applicable.
Specific to web-based applications, it seems the type of injection attack is a truer distinction between web-based and desktop application security risks. In my last paragraph, I stressed that desktop applications can theoretically be just as vulnerable to attack as a web-based application based on how the technology and platform are configured. However, XSS injection is a web-based application security risk. When considering how an attacker gains access to a system, it is typically under the guise of a trusted user, so it is important to not only test client-side input but also input from the trusted user side. MiTM attacks are not to be an oversight when considering the defense in-depth strategy. This is prevalent with desktop applications. Someone could gain unrightful access to a desktop application from simply leaving the desktop unlocked. Yet, in addition to the more technical attacks, using components with known vulnerabilities, insufficient logging, monitoring, improper authorization and broken authentication caters to this unrightful access as well as keeps it undetected until it is too late. OWASP has a great article on the top 10 desktop application security risks.
I agree 101% with your analysis. The overlaps and distinctions you pointed out between desktop and web application security risks are excellent. While specific vulnerabilities like XSS and MiTM attacks differ between platforms, core issues like injections, poor code quality, and insecure communication remain common enemies. I like how you highlighted the importance of validating all user input, regardless of source and adopting a defense-in-depth strategy considering technical and physical security measures. OWASP’s resources are invaluable for staying informed and proactive. By sharing insights and collaborating like this, we can continue to strengthen our collective security posture and protect our applications from evolving threats. Good stuff, Ashley!
A common risk between desktop and web application attacks is security vulnerabilities such as SQL Injection. SQL Injection uses malicious SQL code to access and manipulate databases. Another risk is performance issues. Users can experience slowness and crashes with Web Applications as well as Desktop Applications.
Desktop Applications are installed locally on the user’s machine while users need a web browser to be able to access a Web Application. With Desktop applications, users can face installation and compatibility (hardware and OS) issues. For Web Applications, a stable internet connection is heavily dependent on. Users can also encounter browser compatibility issues with web applications.
Desktop and web apps are both vulnerable to security threats, necessitating patches. Web apps are more exposed due to their online presence, but desktop apps also vary in their need for frequent patching, depending on the app’s nature and threat severity. Integrity is vital for both: desktop apps verify integrity through file hash comparison, while web apps emphasize URL integrity to prevent issues like typosquatting. The main difference lies in internet connectivity, while web apps require it, many desktop apps can function offline.
Kelly, this is THE best answer imo. Thank you! Very succinct and spot on.. when researching and doing the readings with my security cap on, it was interesting to see that essentially all types of web app vulnerabilities can apply to desktop apps and the mindset of desktop applications being secure so “that’s it, time to clock out” can lead to complacency and ultimately goes against the #1 rule to staying secure…. no power in the device.
Desktop applications and web-based applications common/shared risks : Data breach (Always a risk type of application doesn’t matter), User privacy (both are going to have to address in their terms of use), Quality Assurance (assuring functionality and security), Compliance (meeting relevant regulations), Backup and recovery (Data loss can occur in both so having a recovery/backup plan is needed),
Different/unique risks for both.
Desktop Applications : Installation and Distribution (multiple risks faced with different operating systems, distribution methods and updating these applications), local storage (data will be stored locally and can pose a risk if their device is compromised in some way), dependency (in order for the application to run it may rely on other programs or databases installed to work), offline access (data may not be synchronized when accessing without a connection).
Web-based Applications : Cross-browser compatibility (Web applications need to be able to function well across different browsers), Network Dependency (Web applications often depend on stable connection), Client side Security (Web applications need to also protect themselves from potential threats on the clients end what they send or do etc.), Session management (preventing session hijacking by outside parties while connecting to client).
Desktop and web-based applications share common risks including security breaches, data loss/corruption, unauthorized data access, and system crashes. Both are vulnerable to attacks targeting software vulnerabilities. Human errors such as accidental deletion of critical data also pose a risk to both types of applications.
However, desktop and web-based applications also face different, unique risks. Desktop applications are more susceptible to threats from malicious software, especially if they lack proper security configurations or if the software is outdated. Additionally, they are at risk from physical catastrophes such as fire or flood that could destroy the desktop hardware. Comparatively, web-based applications face the risk of web-specific attacks such as Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). They are also vulnerable to Distributed Denial of Service (DDoS) attacks which can make the service unavailable for legitimate users.
Another unique risk for web-based applications is the reliance on internet connectivity – any disruption in connectivity can render the application unusable. The sharing of resources in a cloud environment can lead to potential data leakage, particularly if there are weaknesses in the isolation mechanisms between different users.
In conclusion, while desktop and web-based applications share some common risks, they also face a unique set of threats. A comprehensive risk management strategy should not only account for these shared threats but also the unique risks associated with each type of application.
Desktop applications and Web-based applications are prone to certain types of cyber-attacks resulting from a phishing campaign or opening a questionable file. Desktop apps provide better security, allowing users to save data on a local machine/server and not in the cloud. This results in desktop apps being better protected from cyber-attacks than web apps. Although not immune, users are urged to still take security very seriously in order protect their data and devices.
Desktop and web-based applications share security risks, such as code and design vulnerabilities. These common vulnerabilities, if exploited, can pose significant risks to the integrity and security of both types of applications. Additionally, they are vulnerable to viruses, social engineering scams, and data breaches resulting from insufficient access controls.
Desktop applications present a unique risk in that potential compromise usually requires physical access to the user’s device. However, it’s essential to note that remote exploitation is also a consideration, especially if the desktop is connected to a network.
On the other hand, web applications face distinctive risks such as SQL injection and cross-site scripting These external vulnerabilities expose web applications to a different set of security challenges compared to their desktop counterparts.
Desktop and web-based applications encounter common security risks, understanding their unique vulnerabilities is crucial for implementing effective security measures.
Hi Akiyah,
I agree that desktop applications pose a risk that demands attackers to be there physically because desktop applications are installed locally on computers. I think this is safer due to additional physical security; not everyone would like to be seen.
Hi Akintunde,
I agree that desktop applications typically require a physical presence for an attacker, but it doesn’t necessarily demand it. Hackers can exploit vulnerabilities remotely as well. For instance, they could use a virus-loaded USB drive, which might have been downloaded on a separate device. Additionally, phishing schemes can grant hackers access to a computer and potentially affect others within the network. It’s important to recognize that users are always vulnerable, and ensuring the safety of data requires continuous implementation of effective security measures.
Andrew Young says
For a shared risk, both desktop and web based applications can be vulnerable to injection-based threats. Specifically, script injection in desktop applications can be used to interrupt or modify the purpose of an application, amongst other possibly malicious activities. Similarly, XML and SQL injection attacks can compromise data transfer or even allow attackers to access and view data maintained by the application exchanges for their own use.
Conversely the nature of desktop vs web applications inherently creates a difference of offline vs online access, as the name implies. Desktop applications, for the most part, can be used offline with no need for an internet connection, and as such, risks posed by the attacks themselves may be far more localized to the user or application that has been compromised, be that via malware, spyware, etc. Online applications, on the other hand, are theoretically only privy to the information in the web session itself and do not have broader access to things such as encrypted data on a local device. This leads to different methods of attack, such as phishing, website re-directs, scareware and key logging
Jeffrey Sullivan says
XML, SQL injection attacks etc. are all new terminology to me never really knew the risk involved in them until I read more in the SANS readings this week, what stood out for me, coming from an admin background was who is accessing what and how is that controlled. Like you pointed out though a lot of it is contingent on a reliable internet source and both come with different forms of risk that all come down to user knowledge.
Erskine Payton says
In harmony with Jeff, XML and SQL injection attacks are new to me and has forced me to go research what they are and understand how they can cause harm in both desktop and web based applications.
I can get paranoid so I do a lot of my work locally saving it on my data to my local drive. So I am partial to working offline because of security reasons, but in recent years I have been somewhat forced to the cloud as I have had my drives fail. Thank you the detailed review.
Ikenna Alajemba says
It’s essential to examine, dissect and comprehend the prevalent risks common to both desktop and web-based applications, as well as the divergent and unique challenges each type of application experiences.
While both platforms share certain risks, such as susceptibility to malicious software attacks, data breaches, usability issues, and potential for user error, they also encounter separate, individual risks.
Desktop applications operate in a more isolated environment making security breaches less likely, but are at a higher risk for hardware compatibility issues and difficulties with software updates. Moreover, the lack of centralized control could cause incongruities among users.
Web-based applications, on the flip side, grapple with difficulties linked to Internet connectivity. They also face a greater threat in terms of network security due to their reliance on the Internet, making them an easier target for cyber threats from all over the world. Again, web-based applications grapple with risks such as server downtime, cross-browser compatibility issues, and the inherent vulnerability to web-based threats like cross-site scripting or SQL injection attacks
Andrew Young says
Good point about desktop apps. While not always the case, I generally operate on the premise that desktop apps that are downloaded pose more of an “offline” risk to the device. That is to say, as long as the device has power, they may be able to cause issues for the user regardless of if they are connected to the internet or not. This is a big issue, since at that point the only way to mitigate or negate the risk would be to either completely wipe the device or never use it again following its infection by the malware or virus
Chidi Okafor says
Ikenna, your description is definitely well-rounded. Desktop applications, operating in a relatively isolated environment, indeed face reduced susceptibility to security breaches. On the other hand, web-based applications confront issues tied to Internet connectivity, exposing them to a heightened risk of network security threats. The dependence on the Internet makes them more susceptible to cyber threats.
Michael Obiukwu says
Iykena,
In the context of this discourse, I would opine that the examination, dissection, and comprehension of risks inherent to both desktop and web-based applications is an essential endeavor due to their disparate and unique challenges each one experiences. While both platforms share common risks, such as susceptibility to malicious software attacks, data breaches, usability problems, and the potential for user errors, they also face individual, platform-specific risks.
Desktop applications are characterized by operating in a more isolated environment, which decreases the likelihood of security breaches. However, they grapple with issues associated with hardware compatibility and software updates while the lack of centralized control could foster user incongruities. Conversely, web-based applications are burdened with the task of Internet connectivity, resulting in a plethora of network security threats due to their reliance on the Internet, which makes them an attractive target for cybercriminals globally.
Furthermore, web-based applications encounter unique risks that include server downtime, cross-browser compatibility, and an increased vulnerability to web-based threats such as cross-site scripting or SQL injection attacks. Both desktop, as well as web-based applications, come with their own sets of challenges and opportunities. Identifying and understanding these risks contribute to making informed decisions about application deployment strategies which can effectively manage and reduce risks associated with their use.
Alyanna Inocentes says
Desktop and web-based applications share common risks such as security vulnerabilities, data breaches, and user authentication concerns. Both face challenges related to input validation, privacy, quality assurance, and compliance. However, desktop applications may encounter specific issues with deployment, updates, compatibility, and installation security. On the other hand, web-based applications contend with cross-browser compatibility, network dependency, client-side security, browser policies, and scalability challenges. Developers must address these shared and unique risks through robust security measures, thorough testing, and adherence to best practices to ensure the overall reliability, functionality, and security of their applications.
Marc Greenberg says
The description is exactly on target, you might want to get a little more specific.
More specifically a few other items to consider are a buffer overflow attack. This is when an application does not perform adequate size checking on the input data, the web based reliance on the internet makes them a soft target for cybercriminals they stay connected to the internet.
Jeffrey Sullivan says
Your explanation was simply to read, I appreciate that, Alot of the specific technical topics covered in this week went over my head as I’ve never encountered or had to read on these topics before. What stood out for me the most was input validation and access control, it’s all about who is accessing what then move on to what are they specifically doing and what guidelines, practices etc. are they following.
Alyanna Inocentes says
I definitely agree with you that there were a lot of topics that felt like they flew over my head. I’m a visualized learner so I have to imagine how these attacks happen, the architecture of an organization, what the attack affects, etc. What I had to do to really make it stick was watch YouTube videos since they’re able to provide a visualization on how these attacks occur.
Marc Greenberg says
A shared risk between web applications and desktop applications is a buffer overflow attack. This is when an application does not perform adequate size checking on the input data, therefore leading to memory space being overwritten. A risk that is unique to a web-based application is a SQL injection. It can result in confidential data being deleted, lost, or stolen. A risk that is unique to desktop applications is malware, due to the applications being installed locally. It leaves the user susceptible for malicious code to be run and installed on their system.
Ikenna Alajemba says
I agree that web-based applications are often challenged by concerns related to Internet connectivity and elevated network security risks, stemming from their dependence on the Internet. This exposes them to a wider scope of global cyber threats. Furthermore, they are constantly contending with server downtime, cross-browser compatibility discrepancies, and intrinsic susceptibility to web-native threats like cross-site scripting and SQL injection attacks. Their reliance on the internet makes them a soft target for cybercriminals from all over the world as long as they stayed connected to the internet.
Chidi Okafor says
Web-based applications refer to programs accessed through a browser, delivered to your device from a server without installation on your machine(client). Contrarily, desktop applications are downloaded and installed locally, operating without internet connectivity. They must be developed and installed for a specific operating system and may have strict hardware requirements that must meet to ensure they function correctly.
Both types of applications face common risks, such as XSS (Cross-Site Scripting) and other malicious attacks that could compromise access to the application. Web-based applications represent a more modern approach to application delivery, while desktop applications adhere to a more traditional model.
Web applications inherently face higher security risks due to their design aimed at increased accessibility. Conversely, desktop applications boast superior authorization and administrators enjoy better control, resulting in enhanced security. Additionally, web applications heavily depend on internet connectivity for operation, while desktop applications rely solely on user access.
Alex Ruiz says
Chidi, your comparison of risks between web-based and desktop applications shows their distinct security landscapes. It’s interesting how the design differences contribute to varying vulnerabilities. Given the evolving threat landscape, how do you foresee the future of security measures adapting to address the specific challenges posed by web-based applications, and do you think there will be a convergence of security approaches between the two application types?
Jeffrey Sullivan says
Desktops are limited to tangible machines as data is stored on said machine locally vs web based can be accessed anywhere IF you have an internet connection which can pose more of a security risk as data can be accessed, stored etc. from anywhere there is a connection. They both share a common risk which is access control. Who and how are these systems validating and authenticating these users? There can be flaws in the access control management on both ends. According to SANS, “One of the main reasons that can cause Access Control issues is the inadequate input validation. As described in the secure programming practices input validation is on the most significant sources of vulnerabilities in applications”. These vulnerabilities are all suggested via SANS and are caused mainly due to bad programming practices. Web based application provide an anywhere anytime access to their applications which impose a bigger security risk as they also can be access via many devices over the internet while a desktop application is more on the local end and require less security and have less ownership issues.
https://www.qulix.com/about/web-app-vs-desktop-app/
Michael Obiukwu says
One unique feature of Desktop applications is that they are generally considered to be more secure than web applications. Desktop applications are usually run individually or more like stand-alone and only have limited users, making them less accessible to hackers. However, web applications can have the following security risks:
SQL injections
Configuration FAILURE
Network vulnerabilities
integrity of software and data failure
Ashley A. Jones says
The common/shared security risks faced by desktop and web-based applications are injections, poor code quality and insecure communication which caters to MiTM attacks. Desktop applications can use XML to save configuration files/data, scripting templates, use databases, render HTML content, and provide functionality using system calls in the background. This leaves desktop apps vulnerable to XML, SQL, HTML, Script, and OS command injection attacks. This is very similar to web applications where XSS and SQL injection prevail. Poor code quality in desktop applications can be exploited through reverse engineering tactics while web applications are prone to exploitation through overlooked input validation. An attacker can sniff communication between an application and remote service on both desktop and web-based applications. Similar to web services and applications, desktop applications can facilitate communication attacks through usage of insecure version of protocols, obsolete protocols, unencrypted database connections, not using tunnels for plaintext protocols, and using self-signed certificates instead of CA signed certificates. If a desktop application uses web API/microservices, all relevant web-based attacks are applicable.
Specific to web-based applications, it seems the type of injection attack is a truer distinction between web-based and desktop application security risks. In my last paragraph, I stressed that desktop applications can theoretically be just as vulnerable to attack as a web-based application based on how the technology and platform are configured. However, XSS injection is a web-based application security risk. When considering how an attacker gains access to a system, it is typically under the guise of a trusted user, so it is important to not only test client-side input but also input from the trusted user side. MiTM attacks are not to be an oversight when considering the defense in-depth strategy. This is prevalent with desktop applications. Someone could gain unrightful access to a desktop application from simply leaving the desktop unlocked. Yet, in addition to the more technical attacks, using components with known vulnerabilities, insufficient logging, monitoring, improper authorization and broken authentication caters to this unrightful access as well as keeps it undetected until it is too late. OWASP has a great article on the top 10 desktop application security risks.
Kelly Conger says
I agree 101% with your analysis. The overlaps and distinctions you pointed out between desktop and web application security risks are excellent. While specific vulnerabilities like XSS and MiTM attacks differ between platforms, core issues like injections, poor code quality, and insecure communication remain common enemies. I like how you highlighted the importance of validating all user input, regardless of source and adopting a defense-in-depth strategy considering technical and physical security measures. OWASP’s resources are invaluable for staying informed and proactive. By sharing insights and collaborating like this, we can continue to strengthen our collective security posture and protect our applications from evolving threats. Good stuff, Ashley!
Akintunde Akinmusire says
A common risk between desktop and web application attacks is security vulnerabilities such as SQL Injection. SQL Injection uses malicious SQL code to access and manipulate databases. Another risk is performance issues. Users can experience slowness and crashes with Web Applications as well as Desktop Applications.
Desktop Applications are installed locally on the user’s machine while users need a web browser to be able to access a Web Application. With Desktop applications, users can face installation and compatibility (hardware and OS) issues. For Web Applications, a stable internet connection is heavily dependent on. Users can also encounter browser compatibility issues with web applications.
Kelly Conger says
Desktop and web apps are both vulnerable to security threats, necessitating patches. Web apps are more exposed due to their online presence, but desktop apps also vary in their need for frequent patching, depending on the app’s nature and threat severity. Integrity is vital for both: desktop apps verify integrity through file hash comparison, while web apps emphasize URL integrity to prevent issues like typosquatting. The main difference lies in internet connectivity, while web apps require it, many desktop apps can function offline.
Ashley A. Jones says
Kelly, this is THE best answer imo. Thank you! Very succinct and spot on.. when researching and doing the readings with my security cap on, it was interesting to see that essentially all types of web app vulnerabilities can apply to desktop apps and the mindset of desktop applications being secure so “that’s it, time to clock out” can lead to complacency and ultimately goes against the #1 rule to staying secure…. no power in the device.
Alex Ruiz says
Desktop applications and web-based applications common/shared risks : Data breach (Always a risk type of application doesn’t matter), User privacy (both are going to have to address in their terms of use), Quality Assurance (assuring functionality and security), Compliance (meeting relevant regulations), Backup and recovery (Data loss can occur in both so having a recovery/backup plan is needed),
Different/unique risks for both.
Desktop Applications : Installation and Distribution (multiple risks faced with different operating systems, distribution methods and updating these applications), local storage (data will be stored locally and can pose a risk if their device is compromised in some way), dependency (in order for the application to run it may rely on other programs or databases installed to work), offline access (data may not be synchronized when accessing without a connection).
Web-based Applications : Cross-browser compatibility (Web applications need to be able to function well across different browsers), Network Dependency (Web applications often depend on stable connection), Client side Security (Web applications need to also protect themselves from potential threats on the clients end what they send or do etc.), Session management (preventing session hijacking by outside parties while connecting to client).
Michael Obiukwu says
Desktop and web-based applications share common risks including security breaches, data loss/corruption, unauthorized data access, and system crashes. Both are vulnerable to attacks targeting software vulnerabilities. Human errors such as accidental deletion of critical data also pose a risk to both types of applications.
However, desktop and web-based applications also face different, unique risks. Desktop applications are more susceptible to threats from malicious software, especially if they lack proper security configurations or if the software is outdated. Additionally, they are at risk from physical catastrophes such as fire or flood that could destroy the desktop hardware. Comparatively, web-based applications face the risk of web-specific attacks such as Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). They are also vulnerable to Distributed Denial of Service (DDoS) attacks which can make the service unavailable for legitimate users.
Another unique risk for web-based applications is the reliance on internet connectivity – any disruption in connectivity can render the application unusable. The sharing of resources in a cloud environment can lead to potential data leakage, particularly if there are weaknesses in the isolation mechanisms between different users.
In conclusion, while desktop and web-based applications share some common risks, they also face a unique set of threats. A comprehensive risk management strategy should not only account for these shared threats but also the unique risks associated with each type of application.
Erskine Payton says
Desktop applications and Web-based applications are prone to certain types of cyber-attacks resulting from a phishing campaign or opening a questionable file. Desktop apps provide better security, allowing users to save data on a local machine/server and not in the cloud. This results in desktop apps being better protected from cyber-attacks than web apps. Although not immune, users are urged to still take security very seriously in order protect their data and devices.
Akiyah says
Desktop and web-based applications share security risks, such as code and design vulnerabilities. These common vulnerabilities, if exploited, can pose significant risks to the integrity and security of both types of applications. Additionally, they are vulnerable to viruses, social engineering scams, and data breaches resulting from insufficient access controls.
Desktop applications present a unique risk in that potential compromise usually requires physical access to the user’s device. However, it’s essential to note that remote exploitation is also a consideration, especially if the desktop is connected to a network.
On the other hand, web applications face distinctive risks such as SQL injection and cross-site scripting These external vulnerabilities expose web applications to a different set of security challenges compared to their desktop counterparts.
Desktop and web-based applications encounter common security risks, understanding their unique vulnerabilities is crucial for implementing effective security measures.
Akintunde Akinmusire says
Hi Akiyah,
I agree that desktop applications pose a risk that demands attackers to be there physically because desktop applications are installed locally on computers. I think this is safer due to additional physical security; not everyone would like to be seen.
Akiyah says
Hi Akintunde,
I agree that desktop applications typically require a physical presence for an attacker, but it doesn’t necessarily demand it. Hackers can exploit vulnerabilities remotely as well. For instance, they could use a virus-loaded USB drive, which might have been downloaded on a separate device. Additionally, phishing schemes can grant hackers access to a computer and potentially affect others within the network. It’s important to recognize that users are always vulnerable, and ensuring the safety of data requires continuous implementation of effective security measures.