By Ilia Kolocheno, CEO of web security company High-Tech Bridge
Web application security is a very hot topic these days. So what do CISOs need to know in order to deal with related risks?
Qatar National Bank, a recent victim of a data breach exposing over 1.4GB of customers’ data including full personal data and credit card information, suspects it was compromised via an SQL injection vulnerability. Later, the same hacking team compromised six more financial institutions using vulnerabilities in their websites and web applications.
Pornhub, one of the largest adult websites, was also recently compromised and web shell access to it was put up on public sale. This happened just after Pornhub announced a bug bounty program, proving once again the numerous pitfalls of bug bounties.
In such a hostile climate for web applications, how should CISOs and their security teams respond to the growing threats of insecure web applications? We can accept, avoid, mitigate, or transfer the risks. In this article, we will analyze each of the four approaches to web application risk management.
The above-mentioned data breaches are just the tip of the iceberg, as much more successful attacks remain undetected or unreported. Today, when Advanced Persistent Threats (APT) starts at your website regardless of your company size and location, risk acceptance is no longer an acceptable strategy.
Unfortunately, almost every company has various websites and web applications integrated into its core business processes. ERPs, CRMs, HRMs, and many more vital systems are either web-based or at least provide a web interface. Even if the only web application you have is a static website, attackers will come after it to get your crown jewels. Therefore, risk avoidance is also no longer feasible.
First of all, you need to make a complete inventory of all your web applications. Often, companies get hacked via abandoned subdomains or web applications that nobody maintains anymore. A complete and up to date digital asset inventory is vitally important.
The second step to deal with is attack surface minimization. The easiest and at the same time most reliable way to reduce attack surface is to restrict access to your web applications in an appropriate manner. If a web application is designed for internal usage only, make sure it’s unavailable from the outside. If some employees still need to access it from home or while traveling, you can whitelist VPN IPs or add a client SSL certificate and 2FA authentication mechanism. The fewer web applications publicly exposed, the fewer problems you will experience in the future.
The third recommendation is proper maintenance of all web application software in use. Make sure you have a continuous monitoring and patch management system in place. When zero-days for most popular web applications appear in public almost every day, you cannot rely on quarter vulnerability scanning anymore. The best approach is to set up 24/7, automated vulnerability monitoring and compliment it with manual or hybrid security testing to detect complicated security flaws that vulnerability scanners can’t.
Setting up a Web Application Firewall may be also a very good idea. However, keep in mind that WAF is mainly designed to block simple and automated attacks and will hardly save you from professional Black Hats or even from advanced script-kiddies.
I’d obviously recommend implementing a Secure Software Development Life Cycle (S-SDLC) however, in the era of agile development and outsourcing, S-SDLC will not always solve the problems it is supposed to. But if you have an opportunity to deploy and properly maintain it afterwards — don’t even hesitate, go for it.
Security training for your web developers is also a good option. If you outsource software development, introduce obligatory secure software development qualification prerequisites when conducting RFPs.
A recent PwC report forecasts the global cyber insurance market will reach $7.5 billion by 2020, up from $2.5 billion this year. Cybersecurity insurance may be a good idea, however keep in mind the cybersecurity insurance market is far from being mature and may bring plenty of bad surprises.
Pavel Sotnikov, managing director for Eastern Europe, Caucasus and Central Asia at Qualys, CISSP, MSs, comments, “In today’s world there is no space anymore for single-factor protection. Companies should definitely adopt Defense-in-Depth methodology for layered robust security measures. If we take website security as an example, there definitely should be continuous automated vulnerability testing both for the website and the infrastructure that supports it, moreover there should be security testing during all stages of the SDLC in addition to the secure coding practices. Additionally, there should be Web Application Firewall for proactive protection. Ideally, all this should be complemented through regular manual penetration testing by qualified professionals.”
Concentrate your efforts on appropriate risk mitigation, complemented with risk transfer activities, and you will prevent majority of incidents before they occur.