If you run local browser (web) applications, they are probably secured with a variety of techniques, including firewalls, regular patching and network monitoring. But what happens when you are accessing web applications over the Internet? How are you ensuring your employees’ use of them is secure?
As a business owner or IT manager, you focus on securing your IT estate. This job is increasingly complex. For example, we know that the increasing use of mobile devices is blurring the perimeter of IT estates.
How can you secure a perimeter when it is constantly on the move and not owned by the business? To answer this question, we've looked at the issues around BYOD mobile security on a previous blog.
But there is another key technology that almost every business uses that is also shifting the perimeter of our IT estate: web apps. These third-party applications accessed over the Internet are not under our direct control and, as a result, securing user’s access and use is too often overlooked.
Worse, a 2018 survey by Positive Technologies found that 100 percent of the web applications tested had some sort of vulnerability.
The Positive Technologies report found that 44 percent of web applications are vulnerable to data leakage and security problems, while 48 percent are vulnerable to unauthorised access.
Little wonder, then, that content delivery network services provider Akami(1) found that web application attacks are on the rise. In 2017, it reported a 69 percent increase in web app attacks.
This offers a troubling picture when we consider the huge shift away from locally hosted software on a perpetual licence model to the software-as-a-service web app delivery model. Not only do IT managers have less control over their applications, they should not assume that every SaaS or web app being used by the business is secure.
In 2017, Verizon’s Data Breach Investigations report(2) found that 29.5 percent of breaches were caused by web application attacks.
Attackers exploit vulnerabilities in the web app software, as they search for new ways into an organisation’s network.
In its State of Internet Security analysis(1), Akami found that SQL injection (SQLi) and Local File Inclusion (LFI) attacks posed the greatest risk, while Cross-Site Scripting (XSS) attacks are another significant risk. In these cases, hackers inject malicious scripts into otherwise benign and trusted websites.
SQLi attacks: The oldest and most prevalent web application attack vectors, in which attackers go around the authentication and authorization of a web page or web application to retrieve, add, modify, or delete content in an SQL database.
LFI attacks and Remote File Inclusion (RFI) attacks: Here, the attacker tricks the web application into exposing or running files on the web server, it exploits vulnerabilities when an application uses the path to a file as input.
XSS attacks: An attacker will use the web application to send malicious code, generally in the form of a browser side script, to a different end user.
In one high-profile example, attackers exploited a vulnerability in the Magneto e-commerce shopping cart to steal the payment data entered into more than 6,000 retail sites. They injected malicious JavaScript code to skim data. Many of the affected retailers were small businesses that did not have the resources to effectively assess whether their website was secure.
You can’t assume an organisation is secure simply because it is a well-known and well-used platform. Rather than relying on vendor assurances, organisations must take some responsibility themselves for ensuring the web apps they use are secure.
#1. Stay informed
First, organisations need to do their homework to ensure that the software they are using is secure. This means staying abreast of vulnerability reports online and in the media – such as via Open Web Application Security Project (OWASP)(3).
#2. Scan for vulnerabilities regularly
It is essential that testing and scanning is not a one-time effort. Investing in scanning tools – for example, a web application scanning service like Detectify(4) – makes it possible to identify vulnerabilities with relative ease and on a regular basis.
#3. Address vulnerabilities
When vulnerabilities are identified, organisations need to work with their suppliers to ensure updates and patches are installed and unresolved problems are reported so that prompt action to fix issues is taken.
#4. Maintain good access control
Any publicly facing logon pages should be secured using multiple security measures.
We recommend taking a multi-faceted approach to securing access to your web apps.
This will include:
• A highly complex password consisting of 16 characters, upper case, lower case, numbers and symbols.
• Two-factor authentication: so that when someone logs in it an additional access request is sent to a phone to be accepted.
• IP address locking, so that the logon page is only accessible from IP addresses that require access to it, i.e. yours and your ISP’s.
• Password lockout: in the event of multiple failed logon attempts the account should lock itself.
• Captcha code: the logging in user should be presented with an image which they must click or type in to validate they are a real person.
• Brute-force protection: should a large volume of traffic come from a specific IP address in a short period of time, this IP address should be blacklisted from access.
The picture is complex, but the risks are great: we know that GDPR has upped the stakes as far as data breaches are concerned. And, of course, customers who experience the consequences of a weak security set-up are not likely to return to that business again – and the same goes for potential partners and investors too.
It’s therefore vital that this often-overlooked element of IT security becomes a higher priority for small and medium sized businesses and organisations.
If you’d like any help or advice about how to secure the third-party web apps being used by your organisation, contact the Grant McGregor team.
To keep up to date with more articles like this, you can subscribe to our weekly blog below:
1. https://www.akamai.com/de/de/multimedia/documents/state-of-the-internet/q3-2017-state-of-the-internet-security-report.pdf
2. https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf
3. https://www.owasp.org/index.php/Main_Page
4. https://detectify.com/small-business