Web applications are often an open door to hackers, according to Dawn Smeaton, director of web application security at Trend Micro.
“In the 15 years that I worked in web application development, security never came up as a topic or requirement,” Smeaton told the security company’s Directions London 2014 conference.
Despite being a key tool for many organisations for handling communications and transactions, Smeaton said web applications are seldom secure by design.
This means developing web application exploits is relatively easy with readily available tools, making them a popular entry point for attackers seeking high-value data.
“Many are still vulnerable to SQL injection attacks, for example, meaning they can be exploited in minutes, even though this vulnerability is well known and mitigations well documented,” she said.
SQL injection is believed to enable around 80% of breaches involving web applications and enables attackers to carry out a wide range of malicious activity, including malware distribution and data theft.
Read more about web application security
- Web application firewalls may not fix Web application security issues
- Verizon data breach report: Web application attacks a growing concern
- Tackling Web application security through secure software development
- Cloud-based application security: Preventing security breaches
Attacks of this kind can have a substantial impact on the business, said Smeaton, through loss of trust and damage to reputation as well as through direct data loss.
“All the datacentre security in world is meaningless if organisations are leaving their front doors wide open by failing to secure web applications,” she said.
Smeaton emphasised that there is no single way of tackling the problem. “Web application security requires a multi-faceted approach,” she said.
How to hike web app security
However, she identified three relatively simple, low-cost things organisations can do to raise the level of web application security.
First, organisations need to expand their detection capabilities. Most organisations tend to scan only the application and server layers, but the application layer is often overlooked, said Smeaton.
“Organisations should increase the frequency of security scans and should be looking for more intrusion indicators in more locations,” she said.
This can include using automated tools to identify common coding errors, backed up by manual testing by people who know how the site works and how it could be exploited.
Trend Micro has demonstrated that adding manual testing processes can increase vulnerability detection by 75%.
Defence in depth
Second, organisations need to strengthen their defences by complementing web application firewalls (WAFs) with intrusion detection and prevention systems.
Another key way of strengthening defences, said Smeaton, is to use SSL certificates, but traditional SSL certificates can be difficult and costly to maintain.
Organisations should consider using a new “always-on” approach of unlimited SSL licences as supported by Osterman Research.
“This approach typically delivers savings in cost alone of around 70%, which, for some companies, can run into hundreds of thousands of dollars a year,” said Smeaton.
Third, organisations should centralise visibility to make it easier to identify and prioritise vulnerabilities to mitigate.
“Without a centralised view, it is difficult for organisations to deal with high-risk vulnerabilities quickly and efficiently,” said Smeaton.
“While it is impossible to have web applications that are 100% secure, by taking this three-pronged approach, they can make them a lot safer.”
This is the underlying approach taken in the design of Trend Micro’s Deep Security for Web Applications product, said Smeaton, to help organisations meet a key security challenge.