When it comes to application security, there’s a lot that can go wrong. Hackers and malicious actors are working round the clock to find and exploit new vulnerabilities in every nook and cranny of the digital world, and it can be extremely difficult for smaller companies to even keep up with the baseline set of best practices.
To wit, a recent survey found that one out of every five applications had some kind of security misconfiguration—whether that’s improper authentication, weak password requirements, weak password recovery requirements, insufficient restrictions on authentication attempts, or any other of a host of possible failings. And this is before we get into things like broken authentication, cross-site scripting, code injection, and data exposure. There’s a lot to keep track of, and it’s a difficult job even under the best of circumstances. When your developer resources are overtaxed and already spread thin, it’s practically impossible.
Unfortunately, failure’s not an option when it comes to securing your data and that of your customers. The annual cost of cybercrime measures in the trillions of dollars, and that number is only going to rise. From our perspective, this fact—and the facts we’ll present below—have a clear takeaway: securing your web applications has never been more crucial to business success.
1. The Average Web App Has 20+ Vulnerabilities
22 vulnerabilities, to be specific. This data point, which comes from the same survey cited above, comes with the corollary that an average of four (just under 20%) of those vulnerabilities were of high severity. This can include all of the configuration issues we listed above, plus things like business logic problems (e.g. a function in an app that lets users take multiple discounts until the price of an order drops below zero dollars), and any number of additional vulnerabilities. As it happens, this number has actually been dropping in recent years—but 4 high severity vulnerabilities per app is still far too many. Frankly, just one would too many in a perfect world. Why? Because hackers only need one opening to potentially get access to sensitive user, corporate, or financial data and utilize that data for their own aims.
2. 40% of Breaches Come Through Web Apps
The numbers we listed above about the vulnerabilities in various web apps wouldn’t be so startling if web apps themselves weren’t the largest attack surface for most businesses. Sure, a bank or other financial institution might be fighting off transaction fraud through the networks they use for sending financial messages, but for most businesses your biggest outward-facing activity comes from applications that users are logging into and interacting with. As such, your most impactful vulnerabilities are going to live in the user-facing facets of the app. You might, for instance, discover that a form field that users use to search for content on your mobile app isn’t properly secured against SQL injection, meaning that hackers can insert malicious code into SQL statements (e.g. database queries) that will then run on your database without your knowledge. This might give them the ability to access information on other users—like their names, user IDs, credit card information, and more. Hopefully you’re storing all of that information with enough encryption that hackers won’t actually be able to see a credit card number, but even a little bit of information can be leveraged into other attacks against you or against your users.
3. Code Remediation Takes 4-6 Months on Average
Okay, let’s say you’ve uncovered some vulnerabilities in your application—what’s the next step you should take in order to keep your information safe and secure? Probably you should fix the bugs and patch up any software that wasn’t working as intended, right? Sounds good in theory, but… the software remediation process can often be extremely long and cumbersome (in our experience it can take 4-6 months to patch up a serious vulnerability—in large part because developers often don’t have the time they need to actually take care of the security issues they think are important), and that’s when the issues can be fixed at all. This means that if your security approach is to first find and then remediate security issues in-house, you’re potentially looking at long stretches of time where your web app is susceptible to attack. If an attacker comes along looking to break into your user database and steal information while you’re in the middle of patching up the code that allows the SQL injection, what systems do you have in place to protect your app and your users? For far too many businesses, the answer here is “none,” meaning that once a bug has been identified, there’s nothing to stop hackers from exploiting it until the code base has undergone a lengthy remediation process.
4. Nearly Half of Companies Face Attacks on Known, Unpatched Vulnerabilities
You can think of this stat as something of a corollary to one above. The idea that an open vulnerability might be exploited while you’re trying to come up with a fix or a patch isn’t a hypothetical problem—it’s a real issue that numerous companies deal with on an annual basis. This just goes to show: while uncovering vulnerabilities (whether that’s through code review, penetration testing, or any other technique) is a crucial piece of the cyber security puzzle, it’s only as valuable as your remediation strategy. If you never get around to fixing a bug (or finding some other way of neutralizing the attack surface), generally speaking there’s very little value to having found the bug in the first place. This isn’t to suggest that you should skip the pen tests—on the contrary, you should undertake them with a clear strategy for how you’re going to turn your findings into improved application security.
5. Web Application Firewalls Are Imperfect Solutions
Now, when it comes to finding some way to cover your vulnerabilities while you fix the errors in your code that are making your application less secure, one of the more frequently cited options for coverage is a web application firewall (WAF). These are purpose-built firewalls that protect your servers by implementing special rules for HTTP interactions. No doubt, these can be real sources of value, and they can help neutralize specific attacks including SQL injection and cross-site scripting under some circumstances. That said, they can also be fairly limited in their applications. Though the proxies that power this technology can help with certain vulnerabilities, they have a tendency to either be too rigid and produce a lot of false positives, or they’re too lax and they produce false negatives. In the former instance, users become frustrated because normal web traffic isn’t going through, while in the latter case the firewall completely misses real hacking attempts. Often, this is an issue with configuration—by and large the WAFs on the market aren’t turnkey solutions; rather, they require extensive configuration and maintenance efforts on the part of the companies employing them. This doesn’t have to be an issue in and of itself, but it does introduce the potential for human error—which is the world’s largest source of cyber security risk.
How Can Businesses Secure Their Digital Perimeters Effectively?
The picture we’ve painted above might seem a little bit bleak. And, make no mistake, cyber security presents real risks and challenges for even the savviest of organizations. That said, not all is lost if your business has known vulnerabilities and no immediate way to resolve them within your code base. Using perimeter shielding technology, it’s possible to take the general idea behind WAFs (“let’s create a line of defense that sets rules for web traffic”) and improve upon it significantly. For instance, because WAFs can’t maintain an application state, they can’t protect against the kinds of business logic flaws that we described above; with more sophisticated perimeter shielding technology, it’s possible to create new rules on the fly that make it impossible to exploit business logic problems. Indeed, the kind of technology we’re talking about would give you the tools to automatically adjust code as its being implemented (i.e. without changing it on your own servers), effectively closing all of your known vulnerabilities in one fell swoop.
What would this kind of API and application protection really involve? For starters, it would be built upon AI and machine learning that could improve upon the functionality of WAFs (e.g. by reducing false positives). From there, because there’s no such thing as a one-size-fits all cyber security solution, you would want these protections to be augmented by managed security services that increased your coverage and decreased your odds of costly configuration errors. In this scenario, the gap between discovering vulnerabilities and remediating them would be effectively eliminated. For vulnerabilities that required lengthy fixes, this would give you peace of mind during the months-long span of time it might take to actually close the loophole or fix the bug. For vulnerabilities that continue to confound your developers, this kind of shielding provides protection even when the relevant Jira ticket is gathering dust.
By using a combination of managed services and cutting edge technology, it’s possible to radically reduce false positives and still cover all of the attack surfaces that developers, pen-testers, or others have identified within your application. This, in turn, can have a cascade effect leading to:
- Improved time-to-market—since you won’t get held up by remediation processes
- Increased flexibility--because you don’t have to scramble to fix high priority vulnerabilities
- Extended shelf-lives for legacy apps—since their issues can be effectively covered within this framework
All of this makes you a hacker’s worst nightmare. It gives you the option to remediate code at your own pace, and it saves you from the possibility of a costly attack on a known vector.
Learn More About Intertec’s Managed Cyber Security Services
Intertec provides cutting-edge managed cyber security services based on sophisticated application shielding technology—helping global businesses to cut down on code remediation costs while preventing data breaches. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!