It used to be difficult or outright impossible for employees to install and use unapproved software on their work computers. For many IT departments, those happy days are over.
Web apps’ proliferation combined with mobile devices’ ubiquity have drastically lowered the bar — or removed it altogether — for people to use software of their own choosing at work.
Whatever you call this trend — Consumerization of Enterprise IT, BYOD, Shadow IT — the bottom line is: It’s easier than ever for employees to bypass their IT department and adopt apps, whether the web server’s client is a browser or a mobile app.
This new era of end user empowerment (or anarchy, depending on your perspective) opens a Pandora’s box of security and compliance risks.
Meanwhile, enterprises have also caught the app bug and are “appifying” many operations to make life more convenient for employees, customers and partners. Unfortunately, many custom and commercial apps aren’t securely developed nor properly tested, and contain dangerous vulnerabilities and configuration gaffes.
In short, web application security has become critically important, but unfortunately it’s underestimated by many organizations.
In this post, our latest in the Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we’ll discuss tips 8 to 10, which address the importance of:
- Continuously discovering and monitoring web apps
- Blocking attacks with a firewall
- Protecting your websites from malware infections
Tip #8: Secure your web apps. Don’t put your customers at risk.
So what’s the big deal about unsafe web apps? In a nutshell: The typical organization uses hundreds or thousands of them, and often these apps are vulnerable to major attacks.
Hackers know this, and they also know that these Internet-facing apps are usually linked to back end systems and data, so they’re constantly trying to breach them.
When they breach a web app and get a direct conduit to corporate data, hackers can steal customer identities, money and intellectual property.
Recent studies confirm the intensifying importance of securing web apps.
- In its 2016 Data Breach Investigation Report, Verizon found that, compared to the other attack patterns, web app attacks have become the most likely to trigger a data breach. Specifically, web app attacks accounted for greater than 40 percent of incidents resulting in a data breach in 2015 — up dramatically from about 7 percent in 2014.
Moreover, almost all — 95 percent — of confirmed web app breaches were financially motivated. “The greater complexity, including the web application code and underlying business logic, and their potential as a vector to sensitive data in storage, or in process, makes web application servers an obvious target for attackers,” reads the report.
- A recent Ponemon Institute study found that the cost of data breaches to organizations has spiked almost 30% since 2013 to $4 million on average. For U.S. companies, the average cost is higher at $7 million on average per incident.
The costs an organization incurs in the messy aftermath of a data breach are varied and include fixing systems, notifying and supporting customers, hiring investigators, paying fines and battling lawsuits, not to mention the hits from lost sales and brand damage.
Not fun. Here are some tips to help you avoid this hellish situation:
- Depending on its size, an organization could be using hundreds or thousands of web apps, and have little visibility into them.
Instead of flying blind, you need a comprehensive inventory that lists all your apps — approved and unapproved, commercial or custom built — wherever they are in your IT environment: internal networks, public clouds or mobile devices.
Your app catalog should also contain their software components, vulnerabilities and misconfigurations. This app crawling and scanning process should be automated so that it’s done continuously and at scale.
- Web apps are frequently linked with multiple third-party web services and legacy back-end systems via APIs and custom integrations, so you must understand the potential risks in these interconnections.
- Adopt secure development practices, such as static code analysis. This will reduce security vulnerabilities and configuration mistakes, which can lead to common attacks such as cross-site scripting (XSS) and SQL injection.
- Foster a culture of accountability, constant communication and collaboration among all groups involved in the application delivery lifecycle — developers, operations staff, architects, QA/testers, business stakeholders and, of course, InfoSec pros — by adopting approaches such as DevOps, Agile and Continuous Delivery.
“It takes a village to protect applications,” concluded SANS Institute in its 2016 State of Application Security report.
- Prioritize remediation, whether it’s patching or mitigation, by weighing a variety of risk factors, so you target the apps requiring immediate attention. For example:
- Is the vulnerable app linked to back end databases?
- Can it be used by hackers to compromise other critical systems on the network?
- Is the app crucial for core, daily operations of the organization?
- Has the vulnerability been weaponized in available exploit kits?
- Hold providers accountable, whether they are development companies that build custom apps, or enterprise vendors that sell commercial software, by specifying their requirements and responsibilities to notify you and assist you with security problems in their products.
- Stay current with trends and best practices in AppSec. A great resource is the Open Web Application Security Project (OWASP), whose website is loaded with helpful information and studies — such as its commonly cited Top 10 Most Critical Web App Security Risks report — as well as SANS Institute.
- Implement SSL/TLS correctly on your web servers. This protocol is critical for the privacy, integrity and security of internet communications, but relatively few web servers have a proper implementation: Only 3% of the websites monitored by Qualys SSL Labs earned an A+ for their SSL/TLS configurations recently, bad news web apps’ and websites’ security.
Tip #9: Block direct attacks on app servers. Deploy a web app firewall.
Web application firewalls (WAFs) shield your web servers from attacks by detecting and blocking malicious web-based traffic.
Even if your organization follows stringent app security processes, you need a WAF to protect your organization from dangers that arise after apps have been deployed in production, such as newly disclosed vulnerabilities or inadvertent coding or configuration errors.
“It is the primary function of a WAF to secure web applications against detected vulnerabilities, with as little effort as possible, so that they cannot be exploited by attackers. This is already a very challenging task due to the high degree of complexity of the typical web-application infrastructure,” reads OWASP’s “Best Practices: Use of Web Application Firewalls”
In addition to giving your InfoSec team a chance to patch and mitigate, a WAF is a common requirement of regulations, standards and policies.
WAFs come in all shapes and colors, but below are some elements that will determine whether yours is effective:
- The WAF offers comprehensive protection against common, known attacks and can also be easily configured with specific rules and controls to:
- stop more complex, customized penetration attempts
- ensure your organization complies with specific regulations
- provide specific safeguards and access controls for your web apps
- It limits false positives to a minimum. Otherwise, the WAF becomes too disruptive and is eventually disabled.
- The WAF provides full and granular data visibility into the traffic it’s monitoring, including the overall security status of your web apps, the types of threats detected, their place of origin, their severity and the firewall’s response.
- The WAF doesn’t impact app performance. To check, stress test it before deploying it.
- The WAF is easy to incorporate into your IT environment, simple to manage, API extensible and scalable.
- Acts in tandem with other security tools like vulnerability scanners, malware detectors and perimeter firewalls.
Tip #10: Protect your customers — and your brand — from malware infections.
Hackers find ways to stealthily load malware into websites and online ad networks, incidents that often go unnoticed by their operators.
The malware then can be used to infect the devices of website visitors and to attack site owners’ back end systems.
Consequences include brand damage, data theft, site blacklisting and customer loss.
And it’s a huge problem. In April, Google reported having detected almost 800,000 compromised websites over the previous 12 months, and estimated that on any given week, more than 10 million users visit harmful websites.
So how can you protect your websites from malware?
- Patch vulnerabilities and fix misconfigurations that hackers can exploit to compromise the sites and infect them
- Avoid using components that have proven highly vulnerable. Choose ad delivery networks from reputable, security-conscious providers
- Use a scalable malware scanning tool that checks your websites continuously and triggers detailed alerts about infections
- Make sure the tool’s malware signature file is comprehensive and frequently updated
- Use a tool that’s able to identify not only known malware, but also new variants by using behavioral analysis
- Keep tabs on all your websites and their infections, and visualize and share the data via graphs, reports and charts
We’ll wrap up this series next week with a summary of all ten tips.
In case you missed them, below are links to the first three posts in this series: