Like all competitive businesses,
application developers and operation teams are constantly under pressure to
move applications to production environment quickly. Everybody wants their application
security efforts to be effective, but only if they don’t unduly impede
workflow, impact timelines or drive up costs. It is extremely difficult to
balance these potentially-competing objectives.
When web applications are
breached, enormous amounts of sensitive business data can be lost. According to
Verizon’s 2014 Data Breach Investigations Report, web application attacks more
than doubled in 2013 to become the number one cause of security incidents.
These types of attacks can occur at organizations of all sizes and levels of IT
sophistication, and can affect tremendous amounts of data. Web applications are
popular targets as they are accessible to almost anybody in the world, they are
a conduit to an enormous amount of valuable data and they are commonly riddled
with weaknesses. The financial impact of such exploits is substantial. According
to the Ponemon Institute’s 2013 Cost of a Data Breach Study, U.S. breaches cost
$188 per record stolen, with an average total cost of $5.4 million per incident.
Fortunately, most web application
attacks follow a small number of patterns. Like other application flaws, web
application security defects arise during software development. Cross-Site
Scripting (XSS) is one of the most widely-found and dangerous vulnerabilities
in web apps. XSS can have a big impact on your organization because it enables
attackers to send untrusted code to users’ web browsers under the guise of your
business’s legitimate app. This enables attackers to execute scripts in
victims’ browsers to hijack a session or download malware to take full control
of their system.
The second type of Vulnerability
is injection attacks that come in many different flavors, including: SQL
injection and command injection (inserting system commands into a form field).
SQL injection attacks are among the most widely known. Attackers send malformed
inputs to your application (for example adding extra characters to the ends of
a type-in field), which then gets passed to a database. The
maliciously-formatted input tricks the database into returning excess
information or performing unwanted actions.
Fortunately, you can combat these
and other vulnerabilities by following a few straightforward best practices and
employing new automated technologies.
- Collaborative Approach: Web application security requires ongoing collaboration among the involved teams: business leaders, IT leaders, development, operations, and security groups. Having demonstrable leadership backing makes it easier to put that collaboration in place and obtain necessary resources.
- Development Discipline: Application security cannot be implemented as an afterthought. It has to be finely ingrained into the development process and enforced at major milestones. Security should be explicitly considered when the technical requirements of the application are being defined, during coding, during testing, in the QA phase, and when applications are put into production.
- Training for all Stakeholders: Secure coding is a skill unto itself that requires developer training. When developers, server admins, and others build and deploy applications, it’s essential that they be aware of where security flaws can come from. Making applications resilient to attack is tough if you do not know what to look for, even if you’re equipped with the right tools.
- Threat simulation: Before you can protect your applications, data and other IT assets, you have to understand the fundamentals behind a potential attack. In particular, it’s critical think about who might have the motive, opportunity, and means to attack.
- Automated Testing: While many problems can be avoided by focusing on security during development, some vulnerability will inevitably sneak in. This is where having the right application security tools and technology makes a huge difference.
- Changes to Applications: In the ideal world, applications would always be perfectly secure; realistically, bugs happen or changes are requested and that is when vulnerabilities inevitably appear. But fixing and deploying changes to applications takes time and security considerations are not kept in mind. This needs to change and it needs to follow regular development process.
No comments:
Post a Comment