Just when we thought cybercrime couldn’t surprise us anymore, in 2017 we had the likes of Uber and Equifax announce massive data breaches; Equifax, admitting in a statement about the breach that, “criminals exploited a U.S. website application vulnerability”.
Cybersecurity attacks are becoming normalized, and many of them are targeting web-based applications. But web applications and cloud computing are a natural extension of our need to do global business in an accessible and future-proofed manner. As the Internet has evolved, it has touched every aspect of our business and not only extended our network perimeter but smashed it. Cloud applications have given us incredible advantages, including the ability to work from anywhere and to utilize external management of IT services. Web apps like Dropbox, for example, which makes sharing and collaboration simpler, have seen a staggering rise in popularity, Dropbox now has over 500 million users.
However, along with the benefits of web applications come security concerns. Data breaches are at an all time high. The Breach Level Index has counted over 9 billion exposed data records since 2013, with almost 2 billion of those being exposed in the first half of 2017 alone. Interestingly, or perhaps alarmingly, less than 5% of those records were encrypted. So, where does this leave us in terms of making the most of web applications and the public cloud, whilst ensuring our data security?
What is Web Application Security?
This branch of cybersecurity operates specifically in the defense of information shared through web applications, web services, and websites.
Organizations are evolving when it comes to the practice of sharing information through all of their business-related applications. With the ever-increasing numbers of remote workers, partners and vendors, the sharing of sensitive data through web-based applications is inevitable. An attack on these web services or applications can affect sensitive information and expected functionality, leading to data breaches and hindering operations. To counter this, cybersecurity departments plan to expect the inevitable and engineer tools like security controls to protect sensitive information and critical functionalities to ensure secure web services.
5 Security Know-Hows To Apply When Protecting Web Applications
Web apps and cloud computing in general is high on the agenda of companies of all sizes and in all industry sectors. In a report by McAfee, they found that 93% of organizations use cloud services and spend 80% of their IT budget on it. Cloud applications allow an organization to build an ecosystem of working services, fast and efficiently. This ecosystem, however, has certain challenges. In a report by Alert Logic, they found that web app attacks were the biggest threat to web applications. With these challenges in mind we have listed 5 of the most pressing:
1. Controlling Access and Authentication
One area of weakness that has been evident from a number of cyber attacks in recent years has been poor authentication. First factor only authentication, such as password based access control, just doesn’t measure up against modern cyber threats like spear phishing and admin account compromise. And the threat doesn’t have to be direct. Data breaches like the Target Corp., and more recently, Yahoo, have started with a spear phishing email targeting a supply chain member, resulting in stolen admin login credentials. Web application security needs to be bolstered with robust authentication. This includes the use of second factors such as one-time codes or biometrics. OWASP offer an ‘Authentication Cheat Sheet’ with advisories on using effective authentication measures. Getting the balance of usability and security right is also important. You can improve the usability of web apps using measures such as Single Sign On, federation and risk-based authentication.
2. Acknowledge the Distributed Denial of Service (DDoS) Threat
Distributed Denial of Service (DDoS) attacks on web applications is becoming a significant issue. A DDoS attack will leave your web application unusable and is the digital equivalent of an explosion in a shop. It will leave your company with not just a mess to clean up but with a lost reputation too. Akamai’s “State of the Internet Security Report Q3 2017” showed a rise in DDoS attacks and this method of disruption seems to be becoming more popular as high profile attacks like the Mirai botnet have demonstrated. Protecting your web applications from DDoS attacks is a fundamental security strategy. The distributed nature of this attack type, using a network of bots (user devices) to carry out the attack, makes a DDoS hard to prevent and contain. There are, however, methods available to prevent a DDoS attack, including ensuring you have enough bandwidth to handle a sudden upsurge in traffic and products such as Intrusion Detection and specialized DDoS protection services. There are a number of Intrusion Prevention products available to mitigate DDoS attacks, including those from F5, Palo Alto Networks, Cisco, and Alert Logic.
3. A Patch in Time, Utilize Bug Bountys
Software vulnerabilities are the scourge of the web application. The earlier mentioned Equifax breach, which impacted 146 million customers, was a result of a vulnerability within public Cloud security. In the case of Equifax, it has been hinted that the vulnerability was a well-known flaw in the Apache Struts framework used across the Internet. Vulnerabilities cannot always be resolved, but with bug bounty programs and the like, companies now have prior warning of such security issues and patches are quickly released. In the case of Equifax, a patch may well have saved the data of those 146 million users. Keeping web application security optimized means patching software in a timely fashion.
4. Privacy by Design (PbD) and Privacy Impact Assessments (PIA’s)
Privacy and cybersecurity are intrinsically linked but do need separate considerations. A number of regulatory frameworks and laws have privacy expectations built into their requirements. The EU’s General Data Protection Regulation (GDPR) is one that has far-reaching and often nuanced expectations around data privacy. Data breaches, as we have seen, are a major concern, especially within a public cloud-based service. Personal data is protected under regulations like GDPR and the U.S. Health Insurance Portability and Accountability Act (HIPAA). Privacy by Design (PbD) is a way of ensuring that data privacy and protection is applied to IT systems and business processes. It uses a holistic approach and takes in everything from user consent to share information to the lifecycle protection of data across services. Across web applications, privacy of data is achieved by using a multi-layered approach that follows the flow of the data using Privacy Impact Assessments (PIA’s) to spot gaps.
5. Make Sure to Test and Dont Forget to Test. Quite Frankly you Should Definatly Test. (PEN Testing)
As we mentioned earlier, the use of web applications that are in the public cloud often comprises a complex ecosystem of components; this system has many touch-points and interactions with users and other services. It is like a convoluted web of interconnectivity and user input. To ensure that you have a robust and hardened system you must start with secure coding techniques; the resultant code then being checked using a specialist code analysis company. OWASP has some advise on secure coding. Testing at unit level, through to staging is vital to ensure both security and privacy are built-in. Penetration testing (PEN testing) s your web application acceptance cycle using. PEN testing is usually done by an expert company who specializes in cybersecurity. PEN tests will probe the entire system from networks outwards into web applications. PEN testers are often called ‘White Hat hackers’ as they simulate the sort of attacks that cyber criminals carry out. As cybersecurity experts, they keep up to date with the cybersecurity landscape and the types of attacks that are happening and likely to affect a web application. The results of a PEN test assessment will give you the knowledge and ammunition to harden your systems against cybersecurity threats.
Clearing the Cybersecurity Clouds
Business is always looking for ways to become more efficient utilizing technology to do so. Web applications can give us a rich diversity of functionality, and using them within a public cloud context can allow us to achieve this at an affordable price. The threat of cybersecurity, however, lingers over our use of web applications like a dark cloud. The challenges that web application security present are hurdles that we can cross as long as we have the background knowledge to do so.
To help you build a better and more secure web application ecosystem, we offer a number of assessments that our security professionals run for your organization. These assessments are instrumental in giving you the peace of mind in using web apps in a public Cloud. Contact us today to start your path to secured web applications.