By Taylor Armerding, Security Expert at Synopsys Software Integrity Group
Hackers are targeting your web apps. How do you stop them? Set priorities.
Setting priorities, as most of us have learned (sometimes through bitter experience), is fundamental to success.
So it should be no surprise that setting priorities is fundamental to securing your digital assets. To do so, you have to catalog what you have (and therefore what you need to protect). You have to figure out which “attack surfaces” stand out to hackers looking to get inside your system. And you have to use the right tools to keep attackers out.
Fortunately, all that is possible. It just takes some time, effort, and, yes, investment.
Web apps are the most popular attack surface
There’s no mystery about hackers’ favorite attack surface. As multiple reports on data breaches have found, web applications are at the top.
In Forrester’s The State of Application Security, 2019, author Amy DeMartine opens with this declaration: “Application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks.”
In the most recent Verizon Data Breach Investigations Report (DBIR), web applications are among the top three attack vectors in eight of the nine industry verticals covered by the report. They are No. 1 in four of them.
And according to SAP, 84% of cyber attacks happen on the application layer, making it the No. 1 attack surface for hackers.
Insecure web apps open the door to hackers
There should be no mystery about why web apps are a target either. If attackers can exploit a web application vulnerability, they have potentially unlimited access. “Malicious attackers who exploit an application through a vulnerability or weakness will also have access to the data that application has access to, no matter what data security or network protections you may have in place,” DeMartine wrote in the report.
Of course, every business with an online presence has web applications. Those apps are built with software. And software, hackers know, is rarely perfect. They also know that even when patches are issued for bugs or other vulnerabilities, not every organisation installs them.
Perhaps the most notorious example of the past several years — the 2017 breach of credit reporting giant Equifax, which compromised the personal and financial information of about 147 million people — was made possible because the company failed to install a two-month-old patch for a vulnerability in Apache Struts, a popular open source web framework.
But even that wasn’t enough to get companies to pay attention. As the 2018 Synopsys Open Source Security and Risk Analysis (OSSRA) report showed nine months later, a third of audited codebases containing Apache Struts were still vulnerable to the same issue that affected Equifax.
How to protect your web apps from hackers
So the priority is obvious: Protect your web applications.
There are ways to do that — the key word is “ways.” There is not one way to do it. Don’t fall for any pitch that says if you employ this magical “all-in-one” tool, your applications will be safe.
Nothing in life, or online, is completely secure. But with the right set of tools, deployed throughout the software development life cycle (SDLC), you can be confident that your web apps are protected from all but the most motivated and expert hackers.
Know what’s in your code with software composition analysis
To start, it helps to know what software components you’re using and where they came from. While most organisations create proprietary software, virtually all — 99% according to the OSSRA — also use open source.
Nothing wrong with that — open source helps reduce the time and expense of application development. It provides ready-made “raw materials,” so developers don’t have to reinvent the basics every time they create a new app.
But open source is no more (or less) secure than other software, and it also comes with licensing requirements. That means organisations that don’t keep track of what they’re using could miss notifications that there are patches available for known vulnerabilities. And they could get in legal trouble for open source license violations.
The way to avoid all that is with software composition analysis (SCA). SCA allows you to manage your open source security and license compliance risks through automated analysis and policy enforcement.
And it’s important to move SCA earlier in the SDLC — It makes fixing those problems easier, faster, and cheaper.
Find and fix web app security issues with a complete AppSec toolbelt
Other tools that should be part of the SDLC include these:
•SAST (static application security testing) helps find and fix security and quality weaknesses in proprietary code during development. The Forrester report noted above found that an increasing number of firms “are more likely to implement SAST in the development phase. With new tools that allow developers the ability to ‘spell-check’ their code in their IDEs, security pros can help deliver remediation advice to developers at the cheapest and easiest-to-fix stage of the SDLC.”
•DAST (dynamic application security testing) tests running applications in an environment that mimics production.
•IAST (interactive application security testing) helps identify and verify vulnerabilities and sensitive-data leakage with automated testing of running applications.
•Penetration testing is intended for the end of development, presumably after most vulnerabilities have been caught and fixed. It focuses on exploratory risk analysis and business logic by finding vulnerabilities in web applications and services and trying to exploit them.
Deploying such a variety of application security testing tools may seem daunting, and development teams fear it will slow them down. But the truth is that finding and fixing vulnerabilities earlier in the SDLC is easier and less expensive overall.
Beyond that, as Forrester notes, automation helps to “ease the adoption of security testing.”
“Automating prerelease testing is relatively easy for applications that have an automated SDLC, so security pros will see relief in sight as their developer colleagues move in this direction.”
Automated testing provides relief for more than just developers. The entire organisation will benefit from making its most common attack vectors more resistant to attacks.