With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU’s General Data Protection Regulation (GDPR.)
GDPR went into effect in May, imposing strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.
While GDPR makes only a few, vague references to technology, it’s clear that, for compliance, infosec teams must demonstrate that their organizations are doing their best to prevent accidental or malicious misuse of EU residents’ personal data.
Thus, organizations must have a rock-solid security foundation for superior data breach prevention and detection, and web application security has to be a core component of it.
Web apps: A security weak link
The typical organization uses hundreds or thousands of custom and commercial web apps, which often aren’t securely developed nor properly tested, and contain dangerous vulnerabilities and misconfigurations.
Since they’re usually linked to back end systems, breached web apps offer hackers a direct conduit to corporate data, including personal information from EU customers.
In its 2016 Data Breach Investigation Report, Verizon found that, compared to the other attack patterns, web app attacks had become the most likely to trigger a data breach, a finding reconfirmed in the 2017 version of the Verizon study.
What’s the criteria for determining your organization is doing its best to protect customer personal data from web application attacks?
Below we outline a series of risks and best practices culled from the non-profit Open Web Application Security Project (OWASP)’s OWASP Top 10 Privacy Risks Projectand OWASP Top 10 Application Security Risks, and we explain how Qualys can help organizations slash their risk of data breaches caused by web app hacks.
Specifically, Qualys Web Application Scanning (WAS) and Qualys Web Application Firewall (WAF) can help customers adopt the OWASP privacy and security best practices that are detailed in the next two sections, through a DevSecOps approach, in which security tools and processes are automated and embedded into the application development and deployment lifecycle.
Since all web apps are different, there’s no silver bullet for tracking personal user data and enforcing its protection. With Qualys, one can understand the inner security and compliance status of an application via WAS discovery and vulnerability scans, before addressing the GDPR policy requirements, possibly through WAF security rules.
OWASP Top 10 Privacy Risks Project
The Top 10 Privacy Risks Project’s goal is to shine a light on real-life web app dangers and to offer developers concrete tips for mitigating them.
Unsurprisingly, “web application vulnerabilities” top this list, because, as OWASP explains, “failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach.”
OWASP warns that, for example, injection flaws let attackers copy or manipulate data. Other issues can be sensitive data exposure, use of insecure direct object references, use of software components with known vulnerabilities, and security misconfigurations.
“In general it is possible for attackers to gain access to, manipulate or delete personal data that the application is processing by abusing rights, entering malicious code or eavesdropping on communications,” OWASP states in this companion document to the Top 10 Privacy Risks Project.
Among the recommendations: perform penetration tests frequently, install updates and patches on a regular basis, track remediation, and apply secure development procedures.
Second on the list is “operator-sided data leakage.” Whether triggered by malicious breaches or unintentional mistakes, these data leaks are caused by “insufficient access management controls, insecure storage, duplication of data or a lack of awareness.”
Recommendations include having an appropriate identity and access management system, using strong encryption for all personal data stored, and masking personal data via methods like anonymization and pseudonymization.
Below we highlight other items on the list that are relevant for information security teams working on GDPR compliance:
Insufficient data breach response
Inform affected individuals about actual or suspected data breaches, fix the cause, and attempt to limit the leaks. OWASP recommends continuously monitoring for personal data leaks and loss, and responding to the breach by assembling a response team and notifying the affected individuals.
Insufficient deletion of personal data
Quickly and comprehensively delete personal data once it’s no longer needed, or consumers request its erasure. OWASP recommends following data retention, archival and deletion policies, verifying deletion, limiting access to data that can’t be erased, taking note of historical data stored in older cloud snapshots, and considering data that was backed up or shared with third parties.
Sharing of data with third parties
Amend service agreements, to ensure you’re able to collect evidence automatically via web application scans of the supplier ecosystem, or using security assessment questionnaires. OWASP recommends that organizations use their servers as a proxy for content they share, deploy full Do Not Track capabilities per the latest W3C standard, strongly consider using tokenization or anonymization when sharing data, and develop a third-party monitoring strategy.
Outdated personal data
Using outdated or erroneous customer data, and failing to update it and correct it, can also put an organization in GDPR hot water. OWASP suggests checking for possibilities to update personal data in the web app, including regular checks to validate that data is still accurate, and creating a mechanism to share data changes and updates with third parties that have older versions of those data sets.
Missing or Insufficient Session Expiration
A web app that doesn’t effectively terminate sessions leaves a user’s account and data potentially exposed for malicious use, or cause user data to be collected without their consent. OWASP recommendations include featuring logout buttons prominently and setting up automatic session timeouts in the web app.
Insecure Data Transfer
Data must be protected during transfers to prevent it from being intercepted and compromised.
OWASP countermeasures include using secure protocols for personal data, avoiding personal information in URLs, enforcing HTTPS for the entire web app session, supporting TLS/DTLS instead of SSL v3, and using ECDHE and GCM ciphers, instead of static RSA key exchange and CBC-based ciphers.
OWASP Top 10 Application Security Risks
Another great resource from OWASP is its list of Top 10 Application Security Risks, updated in 2017. The security risks on this list are all relevant for infosec teams tasked with protecting customer data for GDPR compliance:
- Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, which let an attacker execute commands and access data
- Broken authentication, where improper authentication and session management can allow attackers to compromise passwords, keys, or session tokens, and hijack accounts
- Sensitive data exposure, which refers to the transfer and storage of sensitive data without appropriate protections, such an encryption
- XML external entities, which can be exploited to disclose internal files and execute remote code if the XML processor is older or poorly configured
- Broken access control, which refers to improperly enforced restrictions on actions of authenticated users
- Security misconfiguration, which involves issues such as insecure default configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages
- Cross-site scripting, which lets attackers execute scripts in browsers to hijack user sessions, deface websites, or redirect users to malicious sites
- Insecure deserialization, which can lead to remote code execution
- Vulnerable component usage, which introduces known bugs into an application, creating easy opportunities for successful attacks against it
- Insufficient logging and monitoring, which keeps infosec teams in the dark about ongoing breaches
Mitigating these risks will go a long way towards securing your web applications, and specifically towards protecting the personal data of EU residents that you hold, share and process.
Qualys offers comprehensive web application security for GDPR compliance
Qualys combines web application scanning with web application firewall protection for complete, accurate and scalable web security. With Web App Scanning (WAS) and Web App Firewall (WAF), Qualys provides a single interface for identifying, managing and fixing all of the vulnerabilities and misconfigurations on web applications deployed in private, public and hybrid clouds.
Qualys WAS continuously discovers and catalogs web apps in your network – including new and unknown ones — giving you full visibility, and allowing you to proactively tag those that are within the GDPR scope accordingly.
Qualys WAS detects vulnerabilities and misconfigurations comprehensively and continuously, and gives you automated, extensive detection capability to protect against the OWASP Top 10 Application Security Risks and beyond.
Scaling up to thousands of web apps, Qualys WAS conducts incisive, thorough, precise scans, with few false positives. Its seamless integration with Qualys Web Application Firewall (WAF) gives you one-click patching of web apps, including mobile apps and IoT services. With WAS, you can also insert security into DevOps environments by detecting code security issues early and often in the app development and deployment pipeline. Qualys WAS also includes scans that identify malware infections on your websites using behavioral, heuristic, and reputational analysis.
Meanwhile, Qualys WAF reduces application security cost and complexity with a unified platform to detect and virtually patch web application vulnerabilities. Simple, scalable and adaptive, Qualys WAF lets you quickly block attacks, prevent disclosure of sensitive information, and control when and where your applications are accessed, while legitimate traffic is not logged by the Qualys Cloud Platform. Qualys WAF can be deployed in minutes, supports SSL/TLS and doesn’t require special hardware.
In short, with Qualys you’ll be able to have clear, widespread visibility into all your web applications, and continuous detection of vulnerabilities, malware and misconfigurations. That way, you’ll dramatically reduce web app attacks that trigger data breaches that could put you on the wrong side of GDPR.
In our next post in this blog series, we’ll look into the importance of public cloud security within the realm of your GDPR readiness efforts.
(Rémi Le Mer is a Security Solution Architect and SME for Qualys WAF)
To learn more about how Qualys solutions can help you become GDPR compliant, visit qualys.com/gdpr where you can download our free interactive guide.
Read the other blog posts in this GDPR series: