Web application security -- five ways to improve your approach
Web applications remain one of the most targeted areas for threat actors. According to Verizon’s Data Breach Investigations Report, web application attacks were behind 26 percent of all successful attacks during the twelve months covered. Yet while the methods for attacking web applications are well known and understood, as evidenced by the work that the Open Web Application Security Project (OWASP) has done on their Top Ten list over the years, many companies still find hardening their applications challenging.
Authorization and access control describe the biggest set of challenges identified by OWASP in their most recent Top 10 list (2021) -- three out of the top five issues were around broken authorization, while broken authentication and improper access to resources were also common problems. The OWASP Top 10 for 2021 also includes attacks that work on unrestricted access to sensitive business flows, which covers areas like creating fake accounts, and server side request forgery where APIs can send resources to the wrong locations.
In our TruRisk Research report, we looked at more than 370,000 web applications and we discovered more than 25 million vulnerabilities. The most common issue we detected, a third of the total, were classified as Security Misconfigurations using the OWASP guidance, so this is an area to concentrate on if you want to remove potential problems.
To prevent web application issues, security should be included in the overall application development process from the start. This secure by design approach should be the default, but there are so many demands on the application development team to keep up with. To help in this, there are some best practices that you can adopt.
Plan security testing from the start
The first step in improving web application security practices is to integrate security testing into your software design phase. This approach should help your software engineering and developer teams to see where there are potential problems that need to be fixed at the start of any project, rather than later in the process. However, this is not just about flagging potential issues -- it should also be an opportunity to discuss the overall process for software development and security, so that you can collaborate more effectively over time. As you can test applications as you build them, this helps you avoid problems being found later.
Empower security champions
As part of this collaboration, you should also look at how you can empower your developers to become security champions in their own right. Rather than making them dependent on security teams for carrying out this testing, this should instead provide your developers with more autonomy and ownership around their engineering process while adding security support too. This is a better approach for collaboration rather than letting other individuals feel responsible for those security issues alone. Over time, this collaboration and ownership can lead to profound changes in how your application security programs perform.
Defense in depth
The usual tools for scanning applications around security include automated software scanners and manual penetration testing. These two approaches are complementary to each other, as they have their own strengths and weaknesses that can be leveraged to improve the overall success of an application security program. Automated scanning provides you with more frequent updates on what is taking place, while manual testing helps you to understand the context for your application and how the application logic might be attacked once it moves into production. By linking them together, you can get the best of both worlds.
Address risk -- not the symptoms
You may find issues in your web applications that should be fixed, but you may also have trouble rolling out those solutions. For example, your application might be in demand and used to generate revenue for the business, so if it is unavailable due to an update, it could result in a loss of revenue during this timeframe. In this scenario, clearly articulating the risk with the CISO and other executive leadership can help them see that the financial benefits in keeping web applications secure outweigh site availability in the long run.
Oftentimes business demands can result in security teams addressing the symptoms and not the underlying issue by attempting to resolve risk with Web Application Firewalls (WAFs). While they provide temporary security for your applications, WAFs can be bypassed by determined attackers. To prevent this, encourage your teams to deploy remediated code that fully fixes the problem as soon as possible. This is much more effective over time.
Be realistic in your approach
The last advice around web application security is to fight the battles that are worth winning. In other words, concentrate your resources where they can have the most impact. For instance, when your team resources are limited, or where developers need to concentrate on the most pressing risks, you will have to prioritize what issues you concentrate on. Being realistic makes it clear that you have everyone’s goals and capacity in mind, so you can develop stronger collaboration and unity over time.
This point is essential for security teams tasked with managing web application security alongside all the other risks that companies face. Security departments may not be responsible for deploying updates - this may be dependent on those developers, so establishing a strong working relationship and understanding the pressures they are under is essential. By knowing your developers’ goals and pressure points, you can help them achieve their objectives and improve security for your web applications together.
Photo Credit: Alexander Supertramp/Shutterstock
John Delaroderie is Director of Product Management for Web Application Security at Qualys.