Hackers are targeting your web apps. How do you stop them? Set priorities.
Setting priorities, as most of us have learned (sometimes through bitter experience), is fundamental to success.
So it should be no surprise that setting priorities is fundamental to securing your digital assets. To do so, you have to catalog what you have (and therefore what you need to protect). You have to figure out which āattack surfacesā stand out to hackers looking to get inside your system. And you have to use the right tools to keep attackers out.
Fortunately, all that is possible. It just takes some time, effort, and, yes, investment.
Thereās no mystery about hackersā favorite attack surface. As multiple reports on data breaches have found, web applications are at the top.
In Forresterās The State of Application Security, 2019, author Amy DeMartine opens with this declaration: āApplication weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks.ā
In the most recent Verizon Data Breach Investigations Report (DBIR), web applications are among the top three attack vectors in eight of the nine industry verticals covered by the report. They are No. 1 in four of them.
And according to SAP, 84% of cyber attacks happen on the application layer, making it the No. 1 attack surface for hackers.
There should be no mystery about why web apps are a target either. If attackers can exploit a web application vulnerability, they have potentially unlimited access. āMalicious attackers who exploit an application through a vulnerability or weakness will also have access to the data that application has access to, no matter what data security or network protections you may have in place,ā DeMartine wrote in the report.
Of course, every business with an online presence has web applications. Those apps are built with software. And software, hackers know, is rarely perfect. They also know that even when patches are issued for bugs or other vulnerabilities, not every organization installs them.
Perhaps the most notorious example of the past several yearsāthe 2017 breach of credit reporting giant Equifax, which compromised the personal and financial information of about 147 million peopleāwas made possible because the company failed to install a two-month-old patch for a vulnerability in Apache Struts, a popular open source web framework.
But even that wasnāt enough to get companies to pay attention. As the Synopsys Open Source Security and Risk Analysis (OSSRA) report showed, a third of audited codebases containing Apache Struts were still vulnerable to the same issue that affected Equifax.
So the priority is obvious: Protect your web applications.
There are ways to do thatāthe key word is āways.ā There is not one way to do it. Donāt fall for any pitch that says if you employ this magical āall-in-oneā tool, your applications will be safe.
Nothing in life, or online, is completely secure. But with the right set of tools, deployed throughout the software development life cycle (SDLC), you can be confident that your web apps are protected from all but the most motivated and expert hackers.
To start, it helps to know what software components youāre using and where they came from. While most organizations create proprietary software, virtually allā99% according to the OSSRAāalso use open source.
Nothing wrong with thatāopen source helps reduce the time and expense of application development. It provides ready-made āraw materials,ā so developers donāt have to reinvent the basics every time they create a new app.
But open source is no more (or less) secure than other software, and it also comes with licensing requirements. That means organizations that donāt keep track of what theyāre using could miss notifications that there are patches available for known vulnerabilities. And they could get in legal trouble for open source license violations.
The way to avoid all that is with software composition analysis (SCA). SCA allows you to manage your open source security and license compliance risks through automated analysis and policy enforcement.
And itās important to move SCA earlier in the SDLCāit makes fixing those problems easier, faster, and cheaper.
Other tools that should be part of the SDLC include these:
Deploying such a variety of application security testing tools may seem daunting, and development teams fear it will slow them down. But the truth is that finding and fixing vulnerabilities earlier in the SDLC is easier and less expensive overall.
Beyond that, as Forrester notes, automation helps to āease the adoption of security testing.ā
āAutomating prerelease testing is relatively easy for applications that have an automated SDLC, so security pros will see relief in sight as their developer colleagues move in this direction.ā
Automated testing provides relief for more than just developers. The entire organization will benefit from making its most common attack vectors more resistant to attacks.