Web application security is a very hot topic these days, as shown by the variety of websites falling victim to hacking.
One financial organisation fell foul to a data breach exposing over 1.4GB of customers’ data, including full personal data and credit card information. It was suspected that this bank was compromised via an SQL injection vulnerability.
In such an inhospitable climate, how can CISOs and their security teams respond to the growing cybersecurity risks that threaten insecure web applications?
Data breaches are just the tip of the iceberg and there are many more successful attacks that simply remain undetected or unreported, so acceptance is not a viable option – especially when one considers that nowadays risks such as Advanced Persistent Threats (APT) can start at your own website regardless of how big or protected you think your company is.
With various websites and web applications integrated into each company’s core business processes, avoidance is also no longer feasible. ERPs, CRMs, HRMs and many more vital systems are either web-based or at least provide a web interface, so even if the only web application you have is a static website, attackers will still seek to hack into your website to try and get at your most sensitive and confidential information.
Involves three key aspects:
- Produce a complete and up-to-date digital asset inventory of all your web applications – companies are often hacked via abandoned subdomains or web applications that are no longer maintained.
- Minimise your company’s attack surface – the simplest way – and perhaps the most reliable – is to restrict access to your web applications. If a web application is designed for internal usage only, make sure it’s only available to internal and is not accessible from outside your company. If ypu have employees that work from home or are on the road travelling and need access, you can whitelist VPN IPs, or add a client SSL certificate and 2FA authentication mechanisms. The less web applications that you have which are publicly exposed, the more reliable your protection against potential problems.
- Ensure that you maintain all web application software regularly – a continuous monitoring and patch management system in place is essential as, with zero-days for even the most popular web applications appearing in public on a daily basis, you cannot rely on quarter vulnerability scanning anymore. Instead, set up a 24/7 automated vulnerability monitoring and support that with manual or hybrid security testing to identify complicated security flaws that vulnerability scanners cannot before they cause a problem.
Setting up a Web Application Firewall is a good idea, but bear in mind that WAFs are designed to block simple and automated attacks, so are unlikely to save you from professional Black Hat hackers.
Security training for your web developers is also a good idea, but if you outsource software development, make sure that you introduce obligatory secure software development qualification prerequisites whenever you are conducting RFPs.
Implementing a Secure Software Development Life Cycle (S-SDLC) is another good idea but only if you have an opportunity to deploy and properly maintain it afterwards. Otherwise, in the era of agile development and outsourcing, S-SDLC will not always solve the problems it is supposed to.
The global cyber insurance market is anticipated to reach $7.5 billion by 2020 – a staggering 300 percent increase on this year’s $2.5 billion this year. Cybersecurity insurance may be a good idea, however you should bear in mind that the cybersecurity insurance market is still in its infancy.
Pavel Sotnikov, managing director for Eastern Europe, Caucasus and Central Asia at Qualys, CISSP, MSs, comments: “In today’s world there is no space anymore for single-factor protection. Companies should definitely adopt Defence-in-Depth methodology for layered robust security measures. If we take website security as an example, there definitely should be continuous automated vulnerability testing both for the website and the infrastructure that supports it, moreover there should be security testing during all stages of the SDLC in addition to the secure coding practices. Additionally, there should be Web Application Firewall for proactive protection. Ideally, all this should be complemented through regular manual penetration testing by qualified professionals.”
The advice is to concentrate all of your efforts on appropriate risk mitigation, complemented by risk transfer activities to prevent incidents before they even occur.