Throughout my tenure in cybersecurity, one aspect of digital transformation has repeatedly suffered neglect, writes Simon Roe, pictured, Product Manager at cyber software firm Outpost24.
All too often, I am asked: “where are our web applications and how secure are they?” However, if you are asking this question, then it is already too late. Breaches continue to happen though web application vulnerabilities. In fact, according to research by Verizon, 43 per cent of data breaches are the direct result of application vulnerabilities. This concerning figure becomes more worrying when you consider the fact that this is more than double the number of the previous year. One needs to look no further than the notorious cybercriminal group, Magecart for proof of how dangerous these attacks can be. In 2018, British Airways was served a fine of $230 million for insubstantial security controls on its web applications. As a result of inadequate security, a Magecart attack breached the payment data of nearly 400,000 BA customers.
The problem of securing web applications is not new. We frequently discuss the importance of ‘shifting left’ – bringing security into the development pipeline, but still security concerns persist throughout the SDLC. It is essential to remember that ‘secure by design’ principles, however noble, are not the ‘be all and end all’, as application may contain many attack vectors that require constant visibility.
Put simply, your web application is like an iceberg. There are lots of links and pages above the surface, but what lies beneath can be a mystery.
Running internet facing applications and servers will usually provide many variable attack vectors. If, like most businesses, you don’t have a full understanding of where they are and what’s in your applications. For example, are you assured of the visibility you have on campaigns run by internal marketing teams, or could there be an unprotected landing page associated with a forgotten marketing campaign? Running an audit on your digital footprint you would most likely uncover unknown applications and unsecured elements that you had not even considered versus an opportunistic hacker during reconnaissance who may find it first.
Remember, there are teams in your organisation with no IT security knowledge that have access to your web application’s backend. Are you confident that their actions will be security-centric? A whole host of previously unconsidered factors may expand your addressable application attack surface, providing a tempting in route for cybercriminals. If you miss one of these vectors, it can be the pivot point for hackers to enter the system and ruin not only the applications you are aware of, but those that you may not know even existed (IoT, acquisition and third-party sites).
Mapping your application attack surface is no mean feat. Buzzwords like ‘DevSecOps’, ‘bug bounties’, and ‘pen testing’ convolute an already congested market, prompting the question: “where do I even start?” The answer lies in timing. Attack surface discovery tools can help look under the hood and review your applications’ composition against the common web attack vectors before they become a problem. For instance, security mechanism – “does input validation exist?” and page creation method – how the page was created to identify any security flaws that can be easily picked up by an adversary. Automating the discovery process of your web applications will help provide you access to actionable risk insights to pinpoint the imminent issues and implement security controls which are well informed by your attack surface risk levels.
The current market is overwhelmed by different cybersecurity solutions, each promising a unique ROI. Therefore, cybersecurity decision-makers that are aware of resource limitations must prioritise attack surface visibility in order to manage the risk that ALL web applications pose. Failure to deploy a security discovery endeavour can turn ten or 20 issues into two or three hundred flaws. Therefore, don’t wait for the attack vectors to pile up, assess your web application attack surface now and use this information to drive your application security controls to prevent cybercriminals from ever getting even a toehold (never mind a foothold) into your organisation.