Web applications remain the third most common attack vector overall, with hacking still on the increase, from organized criminal groups, amateurs and political activists.
Complex technology, growing adoption of web 2.0 functionality and powerful features of HTML5 have enhanced the opportunity for hackers to exploit vulnerabilities. The consequences of a compromised web application can go way beyond the web server: a number of high-profile attacks with prestigious companies caused millions USD in losses. All organizations are potential victims.
“According to High-Tech Bridge, as many as three out of four successful network intrusions start and/or involve an unsecured web application,” says Frost & Sullivan analyst, Chris Rodriguez. “By “network intrusion’ we mean attacks where the goal is to achieve an ongoing access.” The attack becomes categorized as an APT, which purpose is always to steal data, rather than to cause damage. APTs target organizations in sectors with high-value information, such as defense, manufacturing and finance.
The complexity of an attack and the victim’s internal architecture will determine how much damage a hacker can do. The database structure behind a website is much more important than the structure of the website itself. In almost every case, a compromised web application gives unlimited access to all the resources that the web application uses, including databases.
“Hackers frequently attack the trusted partners of their real victims,” adds Rodriguez. “Web developers usually consider partners to be trusted parties and take insufficient security measures. However, organizations must be vigilant that their partners ensure the protection of their accounts against breaches and misuse.”
An organization can never be certain to have zero vulnerabilities on their website even if the utmost care is taken during development; there is no way that we can future-proof out code. Developers can only take into account vulnerabilities that are known at the time of development. “A web application can be safe today and then vulnerable tomorrow,” notes Rodriguez. “That is why security is an on-going commitment.”
No modern application can be made 100 per cent secure and still be 100 per cent functional and user-friendly. Layered security is a sensible approach to optimizing security, by deploying intrusion detection and intrusion prevention systems (IDS/IPS) at different points of the network, even inside the corporate firewall (to mitigate the threat from insiders). A less complicated and expensive solution to monitor and filter malicious traffic to web applications is a Web Application Firewall (WAF).
“Organizations, however, should understand that it is a very precarious practice and approach for information security to rely solely on application security from any third-parties solutions, like IPS or WAF,” advices Rodriguez. “The best and the most efficient approach is to assure that the application code itself is safe and does not contain any known vulnerabilities or weaknesses. This is why regular penetration testing of web applications remains vitally important, even in organizations that have deployed IPS/WAF solutions.”
Hacking is highly dynamic, and new vulnerabilities are discovered as quickly as known vulnerabilities are patched. Website owners must strike the right balance between functionality, user friendliness and security. Consequently, organizations cannot achieve web application security, but they should certainly strive to optimize security.
“Developing a security-conscious culture is a step in the right direction,” summarizes Rodriquez. “To complete the journey, we recommend that organizations form real, long-term partnerships with stable, reputable security companies capable of providing the individual solutions that will optimise web application security.”