Web application security has become a primary concern for businesses of all shapes and sizes. Whether you’re a multinational media company that streams content or a small startup with remote employees, your business is online, which puts your customers and your own sensitive data at risk. Though developments in web applications and services have improved the way companies do business, they have also increased the risk of malicious attacks. Before you begin to panic, however, know you can take steps to secure your enterprise.
Web application security is the protection of websites, web applications, and web services from security threats that exploit vulnerabilities in web application code. Web application security draws on the principles of application security, applying them to internet and web systems to secure against malicious threats or attacks.
Web applications include any computer program accessible via a browser. Attacks against web applications range from targeted database manipulation, which can expose sensitive data like account numbers and passwords, to large-scale network disruption.
Though web attacks are not new, they are a costly and growing problem. The Herjavec Group estimates the annual cost of cyber crime will top $6 trillion by 2021. A joint study by the Ponemon Institute and IBM places the worldwide average cost of an individual data breach at $3.92 million. If you’re in the US, that number is even higher at $8.19 million.
The odds of any business experiencing a data breach in a two-year period has increased to almost 30%. According to Verizon’s 2019 Data Breach Investigations Report, nearly 25% of all security breaches directly involve vulnerabilities in web applications, and 62% of hacking incidents are aimed at web apps.
Web application security has never been more important, but there are a number of resources and tools to help you secure your web applications. The key is being proactive about security at every stage of the software development life cycle (SDLC).
When it comes to web application security, perhaps the best place to begin is with the Open Web Application Security Project (OWASP), a non-profit organization focused on improving software security. OWASP is a leader in the field of web application security and maintains a top 10 web application security risks list, considered the industry standard for securing web applications.
The top 10 list is a great starting point for developers and security professionals who want to create more secure web applications. The list should be used in conjunction with other tools, which we’ll discuss next, to empower teams to embrace security at every stage of the SDLC.
As OWASP’s top ten list illustrates, security threats can be introduced at any time from development through production and need to be addressed at all stages of the SDLC.
Historically, firewalls were the first line of defense when securing an enterprise’s perimeter. Dedicated web application firewalls (WAFs), which were first released in the 1990s when web server hacker attacks became more common, block unwanted web traffic from accessing your site. WAFs filter, monitor, and block bi-directional HTTP traffic to stop attacks originating from web application security flaws, including injection, cross-site scripting (XSS), security misconfigurations, and file inclusion. It is important to note that WAFs don’t fix web application vulnerabilities; they only shield vulnerable web applications from malicious HTTP traffic.
With the proliferation of businesses online, SaaS, cloud computing, and the adoption of open source code, web application firewalls alone weren’t enough to handle the increased security risks. In addition, the application layer has become a popular target for hackers. If we really want to address web application security in today’s heterogeneous compute environment, we need to start thinking about security from the earliest stages of development. As new vulnerabilities are uncovered, time consuming manual code reviews and traditional testing simply aren’t scalable.
Luckily, there are a lot of application security testing (AST) tools to help organizations, and each one addresses different types of vulnerabilities at different stages of the development lifecycle. The most mature tools, covering the most common vulnerabilities, include the following:
Static application security testing (SAST) is white-box testing tools, where you analyze the source code from the inside out while components are at rest.
Dynamic application security testing (DAST), or black-box testing, detects external vulnerabilities on an operating application and assumes the tester has no knowledge of the system.
Interactive application security testing (IAST) combines static and dynamic testing techniques to improve testing in real time within your application.
Software composition analysis (SCA) focuses only on open source code. Despite an increased reliance on open source software, most companies have been slack about ensuring these components meet security standards. SCA discovers and tracks open source components and their dependencies to check for and resolve known vulnerabilities.
These tools are constantly evolving to address new threats, adding additional layers of security to web applications.
In order to ensure they have a comprehensive web application security strategy, organizations need to choose multiple tools that best integrate into their DevOps pipeline to best address their security needs.
The SDLC has sped up dramatically in recent years, and release cycles have shortened significantly. With releases happening bi-weekly, weekly or even daily, there isn’t time for a dedicated security team to check code at the end of each sprint. New DevOps practices and ever-evolving tools allow developers to take over AppSec and play an increasingly bigger role in the day-to-day responsibility of securing web applications.
When surveyed, 58% of developers identified security as a top priority and have processes in place to detect and remediate vulnerabilities. Shifting left and using security testing tools before the first build is part of a conscious change in the way enterprises approach security today. This strategy moves security testing to early stages of software development, before fixing vulnerabilities delays releases and becomes expensive and time-consuming.
According to Verizon’s report, more data breaches begin with a web application flaw than in any other way. As a result, web application security is paramount to most enterprises. The earlier security vulnerabilities are detected in the SDLC, the easier, faster, and less expensive it is to remediate them. In a Ponemon Institute study, researchers found vulnerabilities detected early in the development process cost on average $80. However, if detected in the production stage, those same vulnerabilities cost roughly $7,600 to fix, an increase of 9,500%.
Web application development is a highly iterative process, and the best time to prevent future security threats is as early as possible in the SDLC. By giving developers more responsibility from the beginning, web application security is improved and overall risk is reduced.