Web applications help trusted users navigate your site and your content. They also provide direct entrée into your system for those who wish to harm your organization. If your web applications aren’t secure, neither are you. As hackers begin to realize this, attacks on web applications are increasing. These attacks were the top attack vector in 2015, representing 40 percent of all breaches, up from just 10 percent the year before.
The primary motive for hackers is financial gain. The secondary motive is gaining information that can be used to help in a different attack. So, no industry is safe from the attention of these criminals.
You’ve Been Hacked. Now What?
When you get hacked, much of the focus for your organization will be on remediation and recovery. What does that look like?
- Average cost: $4 million
- Time to fix the vulnerability once you find it: at least 90 days
- Loss of critical information, equipment, or other assets
- Time for mitigation and recovery of lost assets
- Time to restore operations and services
- Loss of customer confidence
- Loss of business due to business interruption or damaged reputation
- Legal issues
- Direct costs like extortion, data destruction, or repairing physical damage to the system
- Associated costs such as crisis management or legal claims regarding fraud or privacy breaches
Unfortunately, the traditional security techniques in place in most organizations today will not protect you as well as you think they will. Identifying vulnerabilities is critical, but it’s just the first step. And it can take a long time for some of these legacy techniques to reveal a vulnerability. Which means your system might be at risk for a long time before you can even identify critical flaws, let alone fix them--and many of these techniques can take months to implement.
Incomplete Approaches to Web App Security
These five common web app security measures are important, but incomplete solutions:
1. SAST (Static Analysis)
Detailed analysis of data and control flow done by processing source code, or binaries without running the application.
2. DAST (Dynamic Analysis)
Discovery of application interfaces and injection of vulnerable traffic with the aim of discovering security weaknesses; performed while the application is running.
3. Developer education
Secure coding guidelines, online and in-person training courses, capture the flag competitions, etc.
4. IAST (Interactive Application Security Testing)
Analysis of application execution performed during runtime, and utilizing access and insights into application code.
5. Manual Penetration Testing
Internal penetration testing identifies how much damage someone can do from inside the trust barrier. External penetration testing identifies access points and how far a hacker can get into a system.
What Does Keep You Safe?
There is a new approach to application security that does a better job at safeguarding apps: Runtime Application Self-Protection (RASP). Because it works inside the application, monitoring how the app interacts with users, RASP knows the behaviors of authorized users, and will immediately take action when a behavior is malicious.
There is no one technique that will protect against every possible threat. But RASP comes the closest to providing complete protection for your web applications, and for protecting your organization and its assets from hackers.