Industry Trends

Byline: It’s Time to Get Serious About Web Application Security

By John Maddison | July 20, 2017

Historically, IT teams have tended to deploy web application firewalls (WAFs) simply to comply with Payment Card Industry Data Security Standards (PCI DSS). If this is the case in your organization, whether you are a financial services provider or a retailer, it may be time to take another look at these valuable security tools. Many of today’s data security professionals are beginning to recognize that unprotected web applications have become attractive targets for cybercriminals looking for easy entry points into their networks.

The fact is, securing application environments presents a unique and consistent challenge to IT teams. Which is why 83 percent of enterprise IT executives, according to recent IDG survey, now believe that application security is critical to their IT strategy.

Top Web Application Attack Types

Many externally facing web applications are potentially vulnerable to a number of different attacks. In fact, according to a June 2017 Mozilla survey, of the top one million websites analyzed, 93.45 percent earned an “F” for failure to implement basic security measures that would protect them from attacks like cross-site scripting, man-in-the-middle, and cookie hijacking. Here are a few that IT teams should be paying close attention to:

  • Cross-site scripting (XSS): These types of attacks inject malicious scripts into vulnerable web sites. Cross-site scripting attacks enable attackers to enter and steal sensitive financial data or even take control of targeted devices with known vulnerabilities. Flaws in both application code and the devices they run on that allow these attacks to succeed are actually quite widespread. Successful attacks can occur anywhere a web application uses input from a user to modify the output it generates without first validating or encoding it.
  • SQL injection: When these types of attacks are successful, attackers can use them as a way to bypass authentication measures to retrieve information from databases. In 2015, for example, a group was accused of using SQL injection attacks to steal $30 million using stolen financial information.
  • Layer 7 Denial of Service: Layer 7 (application layer) DoS attacks are commonly used to target and overload a specific function. These sorts of attacks can be used for a variety of criminal purposes, from merely disrupting a business by shutting down essential services, to holding these services hostage until a ransom is paid, or even as a means to distract security teams from a more serious security breach occurring in another part of the network.

Commercial code can also be vulnerable to things like poor security hygiene, especially when a lack of resources inhibits IT teams from applying patches and security fixes as soon as they’re available.

But external web applications are only part of the problem. Internal web applications, especially those that have been developed in-house, are often considered to be even easier than external apps to compromise if attackers are able to gain access to the internal network. Custom code is traditionally one of the weakest security links for many organizations, as internal application development teams are often simply unable to stay up to date on all the new attack types, or to do the sort of deep, cross-application vulnerability testing that commercial developers are able to provide.

A single external application, say, making an online purchase, may trigger dozens of internal applications, such as checking and restocking inventory, triggering shipment and preparing shipping labels, processing payments, adding the purchase to a customer’s shopping history, and so on. Not only can these individual applications potentially be exploited, but sometimes modifying a shared library, or even changing the order in which subsequent applications occur can open a vulnerability to be exploited.

These sorts of attacks are notoriously problematic for organizations that mistakenly believe that their perimeter defense systems has them fully protected. The reality is that a perimeter breach is simply a matter of time. The most effective place to start with any application security strategy is to assume that your perimeter defenses will be compromised.

How Web Application Security Solutions Can Help

Sophisticated web application security services need to leverage real-time threat information to keep web apps safe from the latest risks. A good place to start is to review the OWASP Top 10 list that tracks the most common application attacks. But that is just the beginning. Application-based attacks change regularly, and new threats are being released all the time. So it is critical that you deploy a WAF solution that not only address the most common threats, but that can also leverage such things as IP reputation services and that receives regular feeds and updates from a global threat service.

Additionally, many web application security solutions offer a correlation engine that pulls and analyzes multiple events across all security layers. This approach enables you to expand visibility across your entire environment, and automatically combine local and global threat intelligence to make more accurate decisions to better protect your organization.

Vulnerability scanning is another critical element for staying protected. You need to understand which devices you have deployed across your network, what operating systems and current patches are loaded on them, and which applications run on or pass through them. The majority of successful attacks exploit vulnerabilities that are not only known about, but for which patches have been available for weeks, months, or far too frequently, even years.

Protect Your Apps 

As application-focused threats continue to evolve, both in number and sophistication, a single web application security device is typically not enough to defend the entire, distributed network. Instead, organizations need to consider investing in a multi-pronged web application security approach that can tie different devices together, and leverage and share intelligence across a variety of other security and network devices. It’s also increasingly important to have a centralized, unified console, such as a FortiWeb Web Application Firewall, that allows you to manage and orchestrate multiple gateway devices at the same time, correlate threat information, and deliver a coordinated response to any detected problems.