What is Web Application Security?
Web application security involves protecting websites and web applications from security threats, most of which are caused by vulnerabilities in web application code and configuration.
Many web applications store sensitive data, or are critical for business operations (for example, in the case of an eCommerce website), meaning that breaches can have a major effect on a business. According to a study by the Ponemon Institute, the average cost of data breaches to businesses in the USA was over $8 million.
Web application security, part of the discipline of application security (AppSec), is becoming an integral part of development practices. Organizations are implementing security testing and scanning at all stages of the development lifecycle—from planning to development, staging, and deployment.
Web Application Security Risks
The Open Web Application Security Project (OWASP) maintains a list of the ten most important security risks facing web applications. Below is a summary of the list.
Injection attacks involve injecting untrustworthy code into a program. This is made possible by failure to sanitize user inputs—for example, allowing users to provide data in a field, without checking if a malicious user submitted executable code instead of legitimate data. For example, SQL, NoSQL, operating system and LDAP injections may cause software to execute unintended commands, resulting in data exfiltration or compromise of the system by the attacker.
An application’s log-in mechanisms may be manipulated using broken authentication. This type of vulnerability enables attackers to exploit flaws or gain unauthorized access to credentials and session tokens. Brute force attacks, for example, leverage automation to decipher passwords.
Sensitive data exposure
Application programming interfaces (APIs) create connections between applications and third-party services. APIs are necessary to provide applications with the data and connectivity needed to provide features and services. However, APIs that enable insecure transmissions can be exploited by attackers to gain access to sensitive data.
XML External Entities (XXE)
By injecting XML that makes reference to unauthorized external entities, an attacker can manipulate a weakly-configured XML parser, and exfiltrate sensitive data from a server.
Broken access controls
Broken access controls leave sensitive data, systems and privilege settings vulnerable to attackers. To prevent this, take care when implementing authentication and access restrictions.
Security misconfigurations can include insecure or incomplete default configurations, cloud storage left open and accessible to the Internet, and excessive information in error messages. Such misconfigurations are a common vulnerability in many web applications.
Cross-site scripting (XSS)
Cross-site scripting occurs when permissions from one site grant access to content on another URL with an identical URI scheme, host name or port number. This may enable an attacker to access data or even send commands to an application using APIs and DOM manipulation. The result can be hijacked accounts, remote control and spreading worms and Trojans.
Serialization involves converting an object into a byte stream for transmission or storage. Deserialization is the opposite: converting bytes back into an object. Deserializing data from untrusted sources should be avoided.
Using components with known vulnerabilities
You should regularly update web components, especially web server operating systems and third party open source libraries. Using components with known vulnerabilities exposes the entire application to attack.
Insufficient logging & monitoring
Attackers often rely on limited monitoring to compromise systems and remain undetected. Diligent logging and monitoring of errors and attacks makes security staff aware of penetrations and enables faster remediation.
The Next Generation of Web Application Security Solutions
Web application security is rapidly evolving. Organizations are turning to automated tools, some of them powered by AI, to respond to a growing number of sophisticated threats, while facing a significant shortage in security analysts. Below are some of the cutting edge technologies used to respond to web application threats faster and more effectively.
SAST and DAST
Static Application Security Testing (SAST) provides an automated way to scan your source code. Many web application security tools use SAST to identify security risks in your code. However, SAST can cause many false positives, so you will need to carefully analyze and filter the results to identify real issues.
Dynamic Application Security Testing (DAST) uses remote testing of deployed, running web application code, to find vulnerabilities. DAST tools send requests to your code, including unexpected inputs, malformed packets, etc., looking for vulnerabilities. It analyzes the application’s responses to identify defects and vulnerabilities.
Many organizations are shifting security left by integrating both DAST and SAST into their development lifecycle, starting from a developer’s machine, through the build process and ending with staging and production deployment.
Penetration Testing as a Service (PTaaS)
Penetration testing is a method for detection of security issues by simulating a cyber attack on a target system. During penetration testing of a web application, white hat testers look for attack vectors that can be used to breach the application or disrupt its functionality. The goal is to identify and fix security issues that would otherwise not be detected.
Penetration Testing as a Service (PTaaS) is an automated service that provides cloud-based resources to perform continuous, point-in-time penetration testing. Organizations use PTaaS to create effective vulnerability management programs that can quickly find, prioritize, and mitigate security threats.
Instead of costly penetration testing engagements performed quarterly or even just annually, PTaaS makes it possible to automate penetration testing principles, and perform tests as often as weekly or daily. They also automate reporting, making it possible to immediately identify vulnerabilities and recommendations, rather than waiting for a written report from a penetration tester.
eXtended Detection and Response (XDR) platforms provide visibility into security data across networks, clouds, endpoints and applications. They leverage automation and advanced analytics based on artificial intelligence and machine learning (AI/ML) to detect, analyze, and automatically respond to security threats.
XDR provides visibility and context for security incidents across security tiers. This makes it more likely to identify incidents, and provides security teams detailed forensic information, which they can use to investigate and mitigate the threat.
In the context of web applications, XDR promises to identify zero day attacks and sophisticated threats that operate across multiple attack vectors, such as social engineering, network vulnerabilities and application-layer vulnerabilities. It can also help security teams react to threats much faster, leveraging automated analysis and response.
Web Application Firewalls (WAFs)
Web Application Firewalls (WAF) are based on the idea that most malicious activity is targeted at the application itself, not the infrastructure in the web hosting environment. Many attacks exploit security vulnerabilities in the application layer, in order to gain access to valuable assets or disrupt normal operations.
A WAF is deployed at the network edge. It is designed to track application traffic, identify and block malicious traffic. One of a WAF’s greatest strengths is its ability to closely inspect user-application communications, identifying unusual commands and other anomalous behaviors. WAFs uses vendor-provided rules that can identify known attack patterns, and custom rules that reflect each application’s unique traffic patterns.
In this article I covered the basics of application security, and covered several cutting edge technologies that can help secure your web application:
- SAST – static testing of application code for vulnerabilities
- DAST – dynamic testing of running applications for security weaknesses
- PTaaS – technology platforms for automating penetration testing, helping you perform penetration tests on a weekly or even daily basis
- XDR – holistic security platform that ties together data and threats from web applications and other layers of the security stack
- WAF – filtering and blocking malicious application-layer traffic before it reaches your application
By leveraging these tools, you can ensure your application is ready to withstand new and sophisticated security threats.