With this year’s attacks against Colonial Pipeline and Kaseya, ransomware and its impact on infrastructure have been pushed to the forefront of American political consciousness. These cyber attacks brought pain to the public, driving a response from the White House.
The response was followed more recently by memoranda from NIST and the Office of Management and Budget (OMB) clarifying definitions, procedures, and timeframes for the national security effort. Cybersecurity teams must not mistake following this plan for comprehensive protection from risk; there is a significant threat not addressed by the Government’s response.
Here’s why: the OMB directs government organizations to focus on standalone systems that are connected to critical infrastructure or sensitive information but neglects a key area – the web applications that the private sector has depended on to conduct business for years. Web applications are often deeply integrated and widely accessed within companies, defying the neatly defined security borders of the standalone systems targeted by the OMB. Neglecting web application security therefore neglects a significant area of cyber risk for companies.
Forrester concludes that web applications are the most used attack vector for breaches, but breaches don’t usually originate with novel attacks. Data breaches typically originate with well-understood vulnerabilities (and corresponding exploits) that organizations have failed to address. Some breaches are a result of simple accidents or negligence, such as exposed databases. It’s clear, then, that in addition to securing the systems specified by the OMB, companies need to secure their web applications and web assets through comprehensive discovery and continuous scanning for vulnerabilities.
Organizations need to discover every web application they use
Mid- to large-sized enterprises may have hundreds of web applications and web assets in production. Since something as simple as an unpatched email server or exposed database could lead to significant data breaches or loss of control of systems, companies need to secure all their web applications. But with increasingly strapped developer and security resources, what should a company prioritize?
The first step is to figure out what applications are out there. For organizations, this means discovering every web assets, including ones that may have been lost, forgotten, or unofficially deployed by citizen developers. Once a company has identified every exposed web application, it can assess each one to determine the security risk represented by each app, and prioritize remediation plans accordingly.
Companies can discover their web applications and assets through two types of scanning:
- Crawling the web space to discover publicly exposed web assets associated with the company’s domains; and
- Scanning web applications, web services and web APIs including proprietary, open source and third-party code.
Together, these scans provide a foundation on which security professionals can assess risk and build remediation plans.
Shift security left
By shifting security left, companies can catch vulnerabilities at the earliest possible stage of the software development lifecycle before applications reach production. Detecting vulnerabilities as early as possible can prevent production delays, costly re-development cycles and can contribute to a needed evolution toward secure coding practices.
Pressure to innovate can contravene the pressure to maintain security. A May 2021 study conducted by Osterman Research showed that 89% of developers have knowingly released insecure code at least some of the time. Third-party components, increasingly used by developers, may introduce vulnerabilities as well. As much as 91% of modern software contains open-source components and 75% of codebases contain at least one open-source vulnerability, according to a recent report by Synopsys. Some of these vulnerabilities are simply flaws in the software, while others may be trojans planted by hackers.
Security professionals should scan code and components during development to detect vulnerabilities early. This includes not only code, but also system configurations, the versions and patch levels of technologies, frameworks and libraries associated with the software. Once detected and quantified, vulnerability data can be combined with the list of discovered applications and assets to create a prioritized list for remediation.
Shift security right
Companies have invested heavily in shifting security left in recent years, yet the proportion of breaches to the number of websites has remained constant over the last decade. Part of the reason is that not all web applications and assets in use at a company come through their internal development pipelines. To augment shift left strategies, companies must also scan their web applications and web assets where the rubber meets the road: in production.
Penetration testing services – as well as various application security testing scanners such as SAST, DAST and IAST – enable security professionals to scan applications in production and test for vulnerabilities from the perspective of an outside attacker. Some even combine their scanning with an internal software agent, enabling the scanner to test pages and files that are unlinked or hidden. As scanners crawl through web application pages and assets, they can test for a wide range of vulnerabilities such as SQL injection and cross-site scripting (XSS).
Scan applications continuously
The White House recommends testing a system’s security with penetration testing. At the rate at which web applications evolve in DevOps environments and the ease with which one can spin up an integrated third-party application, a pen test report could be obsolete just hours after its completion. Companies should set policy to continuously scan all their applications in dev, QA, and production, to keep abreast of their changing attack surface and implement security hardening in a timely manner.
This is just the beginning
The security efforts driven by the White House are an important step toward securing infrastructure and sensitive data on a national level, but we must remember that it is only the beginning of a long road.
Companies that follow the government’s directives to the letter without consideration of other attack angles will find themselves vulnerable to increasingly sophisticated attacks from criminals and state-sponsored hackers. To fully maximize security and minimize risk, companies must go beyond the national directives to understand their risks and continuously work to stay a step ahead of adversaries.