What You Need to Know to Minimise Threats
Practising the basics of web application security and keeping up with the threat landscape can help keep your business secure.
When it comes to threat actors breaking into corporate networks and stealing data, most attacks start with relatively well-known vulnerabilities in web applications — the same ones corporations use to interact with their customers and the public at large. While web application security remains a major issue for enterprises, a few basic preventative measures can keep sensitive business and customer data safe.
Web Application Security Basics
While web application vulnerabilities are the top source for data breaches in the enterprise, specific industries are more susceptible than others. These include healthcare, retail and even some public sector and government agencies — basically any organisation that deals in large amounts of personally identifiable information (PII), credit card numbers or other types of customer data attackers look for during a breach.
At the same time, web applications — even the most simple looking, static webpage — are fairly complex. There’s the underlying content management system (CMS) that most pages are built on. Then there are the libraries and frameworks used to build these apps. And, finally, there’s typically custom code developers create to add functionality and other features for the businesses using these sites.
Each of these layers presents its own level of risk to the business. For example, the custom-code layer within most web applications is vulnerable to any of the Open Web Application Security Project (OWASP) top 10 issues, including injections, misconfigurations or cross-site scripting.
Meanwhile, third-party web application components create their own unique set of problems, such as the unpatched vulnerability that eventually led to the breach at Equifax which affected nearly 150 million customers and resulted in executive shake-ups, federal investigations and Congressional hearings. The issues with various CMS platforms are also well documented. It seems every month, there’s a new vulnerability or a new exploit associated with either WordPress or Drupal or Joomla.
Given the trove of personal data potentially accessible via web applications, it’s no surprise that attackers will swarm to take advantage of a vulnerability. Once a vulnerability is discovered, threat actors use “spray and raid” tactics to hit as many apps as possible before patches are rolled out, giving them enough victims to make the hacking profitable.
Web Application Scanning: Consider your Components
There are two main themes for security professionals to remember to help prevent attacks on web applications:
Practising these tactics can take your web application security plan beyond looking at the OWASP Top 10, giving you a much fuller view not only of the apps your business is running, but the components that make up those applications. Armed with this level of detail, your security team can make smarter decisions when it comes to assessing risk and rolling out patches to address critical flaws and vulnerabilities.