IT Focus Area: security
August 16, 2018
3 Keys to Web Application Security
Editor’s Note: Sirius and Forsythe are now one company. Sirius acquired Forsythe in October 2017 and we are pleased to share their exceptional thought leadership with you.
Web applications are under siege as cyber attackers work around the clock to identify weak spots and steal data. Last year’s Equifax data breach put a spotlight on web-application vulnerabilities, which can be used to target any organization with an internet presence. An alarming 100 percent of web applications studied in a recent report were found to contain at least one vulnerability, with a median number of 11 detected per application.
Ideally, secure coding best practices would prevent vulnerabilities in web applications. But applications typically contain more than 40 components, many of which are likely to be open source elements that are not effectively tracked or managed, and come with their own vulnerabilities. This makes it difficult to comprehensively address security concerns before releasing software.
Hackers have embraced the use of automation to scan applications for vulnerabilities and use application layer techniques that include, but are not limited to, SQL injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF), and distributed denial of service (DDoS) attacks to target web applications and attempt to extract sensitive data.
Protecting your organization’s applications and traffic is imperative, but automated attacks can overwhelm existing security solutions. Next-Generation Firewalls, Intrusion Prevention Systems and other traditional network security products have proven ineffective against web-based threats.
How can you effectively protect web applications?
It is important to maintain awareness of current web application issues and trends. The Open Web Application Security Project OWASP publishes the “OWASP Top 10” list, which represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have come together to share their expertise.
In addition to adopting the OWASP Top 10, there are three important steps your organization can take to better protect web applications.
1. Strengthen patch management and vulnerability assessment capabilities
Organizations should implement solid vulnerability assessment and patch management processes to identify the vulnerabilities that need to be addressed and link them to patches that can be deployed to servers, endpoints, databases, and applications to remediate them.
"99 percent of exploits are based on vulnerabilities that have already been known to security and IT professionals for at least one year."
—Gartner Technology Insight for Patch Management Tools
Vulnerability assessments typically identify thousands of granular vulnerabilities and rate them according to technical severity, rather than taking into account the affected business and its mission-critical processes. They can also identify a single vulnerability several times, recommending multiple patches and upgrades when a single security solution could address all of them.
Getting maximum benefit from a vulnerability assessment requires understanding your organization’s mission-critical processes and underlying infrastructure, and then applying that understanding to the results. In order for vulnerability scans to be successful, application and data flows and the organization’s underlying hardware, network infrastructure, and existing security controls must be mapped out and understood. This allows security analysts to interpret the results of the scan clearly, and with an objective focus on the critical aspects of the business. Be sure to run vulnerability scans before and after patching.
"One of the biggest mistakes companies make is using a scan to determine what to patch, instead of scanning to verify successful patching. This sets the organization up for more vulnerability rather than less.”
—Ben Holder, Senior Principal Consultant and Lead Penetration Tester, Sirius
Once the vulnerability assessment is complete, and the business feels it has remediated enough findings to improve its security posture, it’s critical to have a new set of eyes examine the environment. Penetration testing is designed to push upon your security practices to determine whether a malicious actor can leverage a vulnerability that can be exploited to gain access to valuable information. While the technical attack is played out, penetration testers will challenge the assumptions you’ve generated as part of your vulnerability assessment. Is the group of servers behind firewalls being monitored by anti-virus protected enough? Is the list of discovered entry points into critical applications complete, or can the penetration testers find a new method of access you weren’t aware of?
It is common for the business to be too close to the subject matter. A comprehensive evaluation with specific goals should be conducted by experienced testers to help the business gain perspective on which areas may not have been considered previously, and what the next area of growth should be as part of the security assessment lifecycle
2. Leverage Web Application Firewalls (WAFs)
WAFs provide an important line of defense for critical applications and data by analyzing user access to business-critical web applications and acting on threats that are woven into innocent-looking website traffic. Unlike traditional firewalls, which mainly control traffic based on the ports and protocols they use, a WAF controls access to web applications using rules designed to recognize common attacks such as cross-site scripting and SQL injection.
"By 2020, more than 50% of public-facing web applications will be protected by cloud-based WAF service platforms, combining CDN, DDoS protection, bot mitigation and WAF, up from less than 20% today."
-Gartner Magic Quadrant for Web Application Firewalls, August 2017
WAFs are updated continuously with new rules designed to catch the latest attack and exploitation techniques before they can harm important resources. They operate on the application layer, the highest level of the OSI model, and have access to protocols on all networking layers, giving them the power to protect websites from a wide range of attacks. When properly customized, deployed, and monitored, WAFs can prevent attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.
Organizations should look for a WAF that is flexible enough to adapt to changing IT infrastructures and the evolving threat landscape, and change based on the needs of the business. Some providers offer "Advanced WAF" solutions, as well as cloud-based services that include L7 DDoS defenses, bot mitigation, artificial intelligence (AI), and API endpoint protection that extend security beyond traditional WAF functions by adding capabilities needed to defend against current threats.
- Bot detection beyond signatures and reputation to block evolving automated attacks
- Application layer encryption to protect against credential theft
- L7 DDoS detection using machine learning and behavioral analytics for high accuracy
3. Strengthen security throughout the SDLC
When it comes to web applications—whether it’s training, standards, awareness or controls—consistency is the key to security. Attackers only have to find one place where you don't have a security control, and that's where they will focus their efforts. Preventing that from happening means applying security throughout the development of your software, and that requires securing the software development lifecycle (SDLC).
New approaches to managing application development have been rapidly evolving. The use of automation and the alignment of development and operations teams are enabling customized software and business functions to be built more quickly. However, security teams are often still seen as roadblocks and are therefore left out of the DevOps conversation. Having personnel from development, security and operations collaborate on projects is vital. Security teams need to evolve and move faster in order to keep up and make an impact, so that DevOps and security can be aligned within a new approach—DevSecOps.
What is DevSecOps?
DevSecOps can be thought of as a continuous application delivery model that brings together development, security and IT operations into a unified group to ensure security checks and controls are applied automatically and transparently throughout the software development lifecycle.
DevSecOps is about sustained collaboration; making the correct security choices early and nurturing secure decisions throughout the development process.
Planning for DevSecOps
DevSecOps is not unlike a secure application development environment; the difference is the increased frequency of testing and feedback loops, and the components that are tested for—such as open source vulnerabilities, and additional programming languages that support automation and orchestration—on top of what’s already being evaluated. And perhaps most importantly, DevSecOps works toward creating a culture and environment in which development, operations, and security teams work together alongside other stakeholders in the organization towards a shared goal. There are several key elements that organizations need to consider when planning for DevSecOps.
When planning for DevSecOps, security teams first need to perform threat assessments, so that they have better visibility into the types and sensitivity levels of the assets they are protecting, and the most likely threat vectors for those assets.
Developing a DevSecOps program requires a commitment on the part of the security team to work side by side with the development and operations teams, and getting buy-in from all of the stakeholders to embed security controls and processes into the entire DevOps workflow.
Putting the “Sec” Into DevOps
Security teams need to demonstrate that they can provide a series of tests and quality conditions on production code pushes, without slowing down the process. If security parameters and metrics are incorporated into development and test qualifications, then the likelihood of security being incorporated into DevOps processes is much higher. Additionally, security teams should look to integrate automated dynamic and static code testing throughout the development and production lifecycle to help detect and fix code flaws.
Optimize Your Web Application Security
Attackers will never stop looking for vulnerabilities to exploit, and web applications are a prime target. Taking steps to strengthen vulnerability assessment and patch management practices, implementing advanced WAF technology, and better aligning security with development teams and IT operations groups is critical to advancing your organization’s security posture. By doing so, you can ensure that security principles and communication come into play throughout the development process, and accelerate the rollout of innovative new applications while defending against the exploitation of increased attack surfaces and better managing web application risk.
View more presentations from Forsythe Technology