How do you protect your web apps from hackers? Forget firewalls. You need an AppSec toolbelt, including software composition analysis and automated testing.
Hackers are targeting your web apps. How do you stop them? Set priorities.
Setting priorities, as most of us have learned (sometimes through bitter experience), is fundamental to success.
So it should be no surprise that setting priorities is fundamental to securing your digital assets. To do so, you have to catalog what you have (and therefore what you need to protect). You have to figure out which “attack surfaces” stand out to hackers looking to get inside your system. And you have to use the right tools to keep attackers out.
Fortunately, all that is possible. It just takes some time, effort, and, yes, investment.
There’s no mystery about hackers’ favorite attack surface. As multiple reports on data breaches have found, web applications are at the top.
In Forrester’s The State of Application Security, 2019, author Amy DeMartine opens with this declaration: “Application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks.”
In the most recent Verizon Data Breach Investigations Report (DBIR), web applications are among the top three attack vectors in eight of the nine industry verticals covered by the report. They are No. 1 in four of them.
And according to SAP, 84% of cyber attacks happen on the application layer, making it the No. 1 attack surface for hackers.
There should be no mystery about why web apps are a target either. If attackers can exploit a web application vulnerability, they have potentially unlimited access. “Malicious attackers who exploit an application through a vulnerability or weakness will also have access to the data that application has access to, no matter what data security or network protections you may have in place,” DeMartine wrote in the report.
Of course, every business with an online presence has web applications. Those apps are built with software. And software, hackers know, is rarely perfect. They also know that even when patches are issued for bugs or other vulnerabilities, not every organization installs them.
Perhaps the most notorious example of the past several years—the 2017 breach of credit reporting giant Equifax, which compromised the personal and financial information of about 147 million people—was made possible because the company failed to install a two-month-old patch for a vulnerability in Apache Struts, a popular open source web framework.
But even that wasn’t enough to get companies to pay attention. As the 2018 Synopsys Open Source Security and Risk Analysis (OSSRA) report showed nine months later, a third of audited codebases containing Apache Struts were still vulnerable to the same issue that affected Equifax.
So the priority is obvious: Protect your web applications.
There are ways to do that—the key word is “ways.” There is not one way to do it. Don’t fall for any pitch that says if you employ this magical “all-in-one” tool, your applications will be safe.
Nothing in life, or online, is completely secure. But with the right set of tools, deployed throughout the software development life cycle (SDLC), you can be confident that your web apps are protected from all but the most motivated and expert hackers.
To start, it helps to know what software components you’re using and where they came from. While most organizations create proprietary software, virtually all—99% according to the OSSRA—also use open source.
Nothing wrong with that—open source helps reduce the time and expense of application development. It provides ready-made “raw materials,” so developers don’t have to reinvent the basics every time they create a new app.
But open source is no more (or less) secure than other software, and it also comes with licensing requirements. That means organizations that don’t keep track of what they’re using could miss notifications that there are patches available for known vulnerabilities. And they could get in legal trouble for open source license violations.
The way to avoid all that is with software composition analysis (SCA). SCA allows you to manage your open source security and license compliance risks through automated analysis and policy enforcement.
And it’s important to move SCA earlier in the SDLC—it makes fixing those problems easier, faster, and cheaper.
Other tools that should be part of the SDLC include these:
Deploying such a variety of application security testing tools may seem daunting, and development teams fear it will slow them down. But the truth is that finding and fixing vulnerabilities earlier in the SDLC is easier and less expensive overall.
Beyond that, as Forrester notes, automation helps to “ease the adoption of security testing.”
“Automating prerelease testing is relatively easy for applications that have an automated SDLC, so security pros will see relief in sight as their developer colleagues move in this direction.”
Automated testing provides relief for more than just developers. The entire organization will benefit from making its most common attack vectors more resistant to attacks.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.