It’s no surprise that many organizations continue to grapple with web application security. Companies in nearly all industries today build and deploy web apps to deliver the products and services their customers rely on. They need to deliver these apps faster now than ever before, but moving to agile development isn’t always a smooth process. Couple this new reality with the fact that attackers continually become more knowledgeable, skilled, and creative, and it becomes clear that organizations need better strategies to keep web apps safe.
The first step to improved web application security is to clear up the most common misconceptions about the practice. Once you can separate the myths from the reality, you’ll be better prepared to implement a comprehensive, rigorous, and effective security program at your organization.
Myth #1: We Do Penetration Testing. Isn’t That Enough?
Pen testing has many advantages, including the ability to pinpoint significant weaknesses in your network that can be exploited when attackers leverage numerous smaller vulnerabilities (such as minor coding errors and employee breaches of security protocols). But, it won’t protect against zero day exploits, which can be devastating to your network and your data.
Also, since security teams often know when pen tests are scheduled, they are likely to prepare in advance, potentially leading to an overly optimistic view of the organization’s true web app security posture. Unlike scheduled test scenarios, malicious attacks don’t come with advance warning.
Myth #2: If We Protect the Network Perimeter, Our Apps Will Be Safe.
It’s a common misconception that perimeter security solutions such as firewalls, anti-malware, and intrusion detection can fully safeguard web applications. Unfortunately, advanced threats such as SQL injection and Account Takeover (ATO) attacks can easily bypass perimeter protections.
Such threats allow attackers to exploit holes in the perimeter, in the form of vulnerable web applications and access points outside the network perimeter, such as mobile or IoT devices.
Even one vulnerable application can provide a window of opportunity to attackers, potentially compromising an enterprise’s entire network. So while tools such as firewalls are important, they’re far from comprehensive protections.
Myth #3: Security Doesn’t Matter Before the Application Is Launched.
Web apps need security protections at all stages of development. The fact is, staging and testing sites may feature the same vulnerabilities that threaten any other website. It’s critical to ensure that early, potentially buggy versions of your web apps (which can be found by persistent attackers armed with automated tools) don’t provide an opening for hackers.
Myth #4: We Rely Mostly on Commercial Software, so Web App Security Is Not Our Problem.
Software obtained from vendors is far from immune to vulnerabilities. And although some believe otherwise, even commercial software products are likely to contain open source and third-party code. This code can contain the same vulnerabilities that can endanger any other code (and by extension, your organization’s web application stack).
Myth #5: We Don’t Have to Worry About Security: Our Site Is Too Small to Be Targeted.
This myth is particularly damaging to organizations’ application security posture. Attackers of all stripes, from script kiddies to sophisticated hacker organizations, leverage automated tools that allow them to probe relentlessly for weaknesses in websites and web apps. In this case, obscurity is no guarantee of protection.
The Solution: Shoring Up Applications’ Defenses
Want to learn more about common threats to web app security, and get specific, actionable steps your organization can implement today to improve application defenses? Check out our ebook, Account Takeover: How Hacking Happens in 2016.