Security in cyberspace is a matter of great urgency. This is especially true for web applications, to which a large number of users have access and which, because of this, become the most vulnerable to attack by cybercriminals.
We offer you a translation of the article on what are the ways to avoid such risks and which of them will be optimal for you.
Four web application security solutions: which one is right for you?
Web applications are a particularly hot topic right now; what do information security engineers need to know to cope with the risks?
The National Bank of Qatar, recently the victim of an attack that stole more than 1.4 GB of user data, including all personal and card information, suspects that it was compromised through SQL injection.
Subsequently, the same group of hackers hacked into 6 other financial institutions, exploiting vulnerabilities in their websites and web applications.
Acceptance of risks
The system hacks we mentioned above are just the tip of the iceberg, as many more successful attacks go unnoticed or are not reported. Today, with Advanced Persistant Threats (APTs) threatening all companies’ sites regardless of their size and location, taking risks is no longer an acceptable strategy.
Unfortunately, almost every company now has websites and web applications that are tightly integrated into key business processes. ERP, CRM, HRM and many other vital systems are based on web technologies or at least provide a web interface.
Even if your only web application is a static website, attackers can attack it to damage your reputation. Thus, avoiding risks is no longer possible.
First of all, you need to perform a thorough revision of all your web applications. Often old subdomains or web applications are used for hacking companies which nobody supports for a long time. A complete and up-to-date audit of all digital systems is vital.
The second step to reduce the risks is to minimize the attack surface. The easiest and most reliable way to reduce the attack surface is to properly restrict access to your web applications. If the application is intended for internal use, make sure that it cannot be accessed from the outside.
If some employees need to access the system from home or while traveling, you can either whitelist the VPN IP or add the SSL client certificate and two-factor authentication mechanisms. The fewer applications are publicly available, the less likely you are to experience problems in the future.
The third recommendation is to ensure that all software used is properly supported. Make sure you have a functioning web application health monitoring and patching system in place.
Since zero-day vulnerabilities for web applications appear almost every day, you can no longer count on a vulnerability check once a quarter. The optimal solution is to install an automated 24/7 monitoring system and supplement it with manual or mixed security testing to identify complex security threats that cannot be tracked with vulnerability scanners.
Installing a firewall for web applications can also be a good solution. However, keep in mind that the firewall is designed to cut off simple automated attacks and is unlikely to protect you from professional hackers or even advanced “young talents”.
I would also recommend introducing a safe software development lifecycle, although in the era of agile development and outsourcing this cycle will not always be able to solve the problems it is aimed at. But if you have the opportunity to deploy it and properly support it in the future – do not neglect it.
Security training for your web developers is another good opportunity. If you are outsourcing project development, add mandatory qualification requirements for secure software development to your Request for Proposal RFP.
According to a recent PwC report, the global cybersecurity market will reach $7.5 billion this year (currently $2.5 billion). Cyberspace security insurance may be a good idea, but it must be remembered that the cyberspace security insurance market is still far from mature, which can lead to many unpleasant surprises.
Companies should definitely adopt a method of “deep protection” to ensure multi-layered and reliable security measures. As an example, a website should definitely have a permanent, automated vulnerability check of both the site and the supporting infrastructure, and it should also include security testing at all stages of the secure development lifecycle as a supplement to secure software development techniques.
In addition, you can use the firewall as a proactive protection tool. Ideally, it should be supplemented by regular manual tests conducted by qualified personnel.
Focus your efforts on risk reduction in combination with risk transfer activities, and you can avoid most of the problems before they occur.