Vulnerabilities in web applications have become one of the major vectors in cybercrime. Cybercriminals have targeted web applications because most companies have security solutions that neutralize traditional exploits.
“When businesses first connected to the Internet in the early 1990s, they encountered the precursor to modern day hackers: malicious users that probed computers for open ports and platform vulnerabilities. To prevent breaches, organizations deployed firewalls and intrusion prevention systems (IPSs). However, when these same organizations opened up access to their Web applications, hackers quickly circumvented the firewalls, and they used evasion techniques like encoding and comments to evade IPS signature detection.” (ICT Security)
Most Web applications built under a Client / Server architecture and database servers are one of the assets implemented by most large companies. Once the attacker has used a vulnerable web application, it can enter the organization’s network, causing damage to the company’s assets that are interconnected.
The danger is that companies feel a false sense of security having implemented a computer security solution, although these companies have adopted security measures, most of the time are not robust enough to prevent such threats.
The recurring strategy to reduce the vulnerability of Web applications is to test Web applications and identify unsafe code, and then correct the code to eliminate any type of vulnerability.
The most common cyber-attacks are based on exploiting the syntactic and semantic vulnerabilities of a Web application. Such as SQL Injections, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). These attacks insert characters or code statements into Web application forms to alter the logical flow of data.
The best practices to improve security in web applications are:
1. Know the need to improve security in critical Web applications.
The company must commit to prioritize the eradication of vulnerabilities in Web applications implemented processes and updated technologies for which they prevent any kind of attack.
A Web application firewall should “automatically receive and apply dynamic signature updates from a vendor or other source.” (Recommended WAF capability in the PCI DSS Information Supplement: Application Reviews and Web)
2. Measure the risks after a Web application fall.
The company must consider aspects such as customers switch to competitors, falling sales, fewer customers for fear that their data is compromised, lawsuits, lose the ability to accept reliable payment methods.
“Web application firewalls must deliver more sophisticated control at the application layer through a variety of contextual rule sets and behavioral analysis.” (Core of the Matter, Sandra Kay Miller, Information Security Magazine)
3. Establish an enterprise-level security to deploy Web applications.
Manage everything involved in the development, implementation, production and maintenance of secure Web applications.
“When we talk about hackers, we are talking about a fully organized, well-oiled machine intent on gaining money. And hacking is most definitely a big industry.” (Security Week, “The Structure of a Cybercrime Organization”)
4. Use a program to discover and categorize the services of a Web application.
Implement a scan to discover all the vulnerabilities of a Web application without having to perform this task manually.
“On average, 31% of Website visitors are intruders. These shady non-human visitors include hackers, scrapers, spammers, and spies of all sorts.” (Incapsula Research)
5. Establish criteria for analyzing Web applications.
It is recommended to use a scanner that can discover all web applications, discover all the vulnerabilities of a web application.
“A layered fraud prevention approach provides defense in depth, and it is the best policy forpreventing and containing losses that result from today’s and tomorrow’s threats.” (Avivah Litan, Gartner)
The use of Cloud solutions is recommended, technologies that can solve the vulnerabilities of a web application that do not require the use of large infrastructure, human resources or technical support.
“Cloud-based security services offer an easy and effective way to make websites faster and protect websites against hackers and bots.” (Lawrence Pingree, Gartner)