The unrelenting move to the cloud means that web apps are becoming ever more common. They have also increasingly become targets for hackers and this is often because of security failings; many of the recent high-profile security breaches have come about because of web app security vulnerabilities.
Ilia Kolochenko, CEO of High-Tech Bridge suggests a quintet of things companies do - or fail to do, that make the life of hackers easier.
1. Underestimation of Risks and Threats Related to Insecure Web Applications
Many large companies and international organisations still seriously underestimate the value of their web applications, and have their security as the lowest priority in their risk management. And I am not even speaking about complicated SSRF or application logic flaws, but at least about proper detection and remediation of OWASP Top Ten vulnerabilities.
As we can see from the beginning of this article, companies just don’t realise that a vulnerable website is a perfect vector to start an APT without spending much money on it.
2. Lack of Continuous Monitoring
Web technologies are constantly evolving, and what is secure today may become vulnerable tonight. Therefore, a quarterly scan and annual pen test to achieve PCI DSS compliance is not enough anymore to stay ahead of hackers. Many companies do not perceive web application security as a continuous process, but rather as a one-time audit, putting their web infrastructure and related back-end at critical risk.
3. Missing or Poorly-Implemented Secure Software Development Life Cycle (S-SDLC)
In spite of a plethora of guidelines and standards of secure software development in existence today, many companies still ignore them due to high complexity or expense of implementation. The situation is even worse in companies where software development teams have existed for years - as any change to well-established [but insecure] procedures will be met with hostility, as nobody wants to spend additional time on software security if not paid additionally for it.
4. Dominance of Business Needs Over Security Processes
Data breaches via insecure web applications regularly occur even in companies where S-SDLC is mature and well integrated into a company’s daily business processes. The consequences of the financial crisis of 2009 are still here - many companies suffer from sluggish demand and very tough global competition. Often business requires a new feature to be done in few hours on Friday evening to outperform a competitor - of course, we can forget about security when such pressure occurs.
Nevertheless, it’s the business who pays the salaries to developers and infosec folks, and it’s always the business who has the last word. However, it's also the business who shall be ready to take the responsibility for a new data breach and related costs.
5. Ignorance of Third-Party Risks
Many companies start introducing thorough security and compliance guidelines for their third-party suppliers and partners, however they often fail to mention proper web application security with them. As a result, attackers can compromise a website of your long-time supplier, consultant or partner, and instead of hosting malware on your website - they host it on a trusted-party website, achieving the same result at the end.
Jan Schreuder, partner, cybersecurity leader from PwC Switzerland, says: "Recently we've seen many organisations attacked through sophisticated cyber attacks on their supply chain partners. With global supply chains becoming more and more digital and interconnected, establishing trust in your supply chain is becoming more challenging all the time".
As paying for an anti-smoking patch is much cheaper and less dramatic than spending a six-digit amount on cancesar treatment, spending on preventive web application security is much more cost-effective and less painful than paying for APT forensics.
Therefore, if you are currently finalising your cybersecurity budget for 2016 - don’t forget about proper web application security, not just vulnerability scanning.