Weak security is a major flaw of most web applications. Leaving the business environment highly susceptible to cybersecurity attacks every day. Insecure applications provide a gateway for criminals to pivot directly into an organisation’s corporate environment. So why are the organisations leaving themselves vulnerable through poor web security practice? Moreover, how can companies strengthen their cybersecurity to develop programs that deliver the best web application technology and not compromise the app's security?

A definition of web application security

Web application security is an area of information security that focuses on protecting the safety of websites, web applications and web services. Trained security consultants such as LRQA Nettitude apply the principles of application security management through the internet and web systems.

No compromise web application security

In 2017 the majority of successful network penetration tests exploited vulnerable web applications. (Kaspersky)  

In the same year, a staggering 73 per cent of the triumphant network boundary breaches originated from vulnerable web applications.  

Whether it be through customer-facing applications such as online shopping or banking apps, or internal corporate systems, organisations are increasing their web-based presence every day.

However, with the growing popularity of web applications continuing so is the increasing threat of attacks from cybercriminals. The unprotected software is threatening the critical infrastructures of countries as it is now the connecting interface of many different business sectors and embedded into modern culture.  

Consequently, it is essential that web applications be security tested regularly and should any vulnerabilities be detected they must be remediated straight away.

The safety of the app also needs to be a priority in the early stages of development of the program and not at the end of a project as is so often the case.

Government - highest-risk web applications

The IT security company Kaspersky reported that web applications belonging to government organisations posed the highest security risk, with critical threats found in a high proportion of investigations in 2017.

E-commerce - most secure web applications

However, web applications for e-commerce platforms built in 2017 fared most securely as a business area. Kaspersky reported that they were generally more secure and protected from external tampering.

What are common web application security vulnerabilities?

With the fast pace of software development and consumer take up, neither organisations or end-users can afford to suffer the security weaknesses identified in web applications.

In the 2017 Open Web Application Security Project (OWASP) Top 10 report, the online security community presents the top ten most prevalent security flaws for web applications. (OWASP)   

A1:2017 – Injection

• Injection errors SQL, NoSQL, OS, and LDAP injection
• Suspicious information interpreted as part of a command or query
• Data accessed without authorisation

 A2:2017 - Broken Authentication

• Authentication and session management are often applied wrongly
• Criminals exploit passwords, keys, or session tokens
• User identities temporarily or permanently exploited

A3:2017 - Sensitive Data Exposure

• Application Program Interface (API) not set up to protect sensitive data
• Credit card fraud, identity theft, or other crimes
• Encryption provides extra security for Personally Identifiable Information (PII), financial, healthcare data

A4:2017 - XML External Entities (XXE)

• Old or badly configured XML processors evaluate external entity references within XML documents
• Disclose internal files Uniform Resource (URI) handler, internal file shares, internal port scanning, remote code execution, denial of service (DDoS) attacks

A5:2017 - Broken Access Control

• User restrictions are often not adequately enforced
• Criminals exploit these flaws to access unauthorised functionality and data

A6:2017 - Security Misconfiguration

• Security misconfiguration is very common
• Result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, incorrectly configured HTTP headers, longtail error messages
• Configure all operating systems, frameworks, libraries, applications
• Patch and upgrade regularly

A7:2017 - Cross-Site Scripting (XSS)

• XSS flaws through untrusted data
• XSS allows criminals to run scripts in the victim’s browser
• Takeover user sessions vandalise websites, take the user to inappropriate sites

A8:2017 - Insecure Deserialization

• Insecure deserialization can result in remote code execution
• They can also be used to perform attacks
• Replay attacks, injection attacks, privilege escalation hits

A9:2017 - Using Components with Known Vulnerabilities

• If a vulnerable component of the application is exploited, it could lead to critical data loss or server takeover
• It may undermine application defences and enable multiple attacks

A10:2017 - Insufficient Logging & Monitoring

• Inadequate logging and monitoring
• Combined with a poor incident response
• Attackers undetected in the network
• Data is tampered with, extracted, destroyed
• In most cases, the time to detect a breach is over 200 days
• Sadly, a breach isn’t always uncovered internally. However, it is often third parties that reveal an attack

What do web application vulnerabilities mean for business?

Despite a growing rise in the popularity of cybercrime and its devastating effect on the victims, the level of protection adopted by organisations is very low. Security professionals such as Nettitude believe that security should be a board-level priority for any business, and a critical technology concern for senior IT executives such as CISOs and CTOs.

Web applications are one of the most relevant types of software used today. The complexity and uniqueness of web applications present a challenge to the security stance of any business. Modern-day applications manage progressively sensitive data, and therefore it is vital that they be secure and do not introduce added risk to an organisation.

Who can assure web application security?

To test and remediate web application security organisations should engage an independent CREST-certified penetration testing firm that specialises in web application penetration testing such as Nettitude.

It is essential to partner with a diverse team of professional security consultants that have a good amount of experience in both security and software development.

It is also a good idea to choose a firm that uses the latest threat intelligence to assess emerging threats to your industry and company with increasing accuracy.

How does web application testing take place?

To seek guidance on how web application security testing services and methodology contact security specialists.

What are the best practices to mitigate vulnerabilities?

Here are some examples of security measures organisations can implement to mitigate a web application breach:

• Restrict access to management interfaces
• Identify vulnerabilities/bugs within the organisation and focus on remediating them quickly but securely for the longterm
• Conduct timely updates of the vulnerable software
• Employ password protection
• Set-up firewall rules
• Organise routine security assessments of the IT environment and especially business-critical data
• Log, monitor and detect security incidents
• Create incident response policy and procedures in the event of a breach
• Set upRed Teaming exercises to determine how your organisation would respond in the event of a real-world attack
• Adopt early development testing for new software applications to minimise risk, and reduce any costs or time spent on remediation
• Scan applications regularly
• Follow the OWASP Top 10 rules for web application security as a minimum checklist
• Work with professional independent security consultants to provide your organisation with the highest level of security assurance and strengthen your overall security posture