#HowTo: Protect Your Organization’s Web Apps

With more than nine out of 10 organizations either currently pursuing a digital transformation or planning to do so over the next year and 85% now migrating the majority of their workloads to the cloud, companies are swiftly responding to competitive pressures to perform “smarter faster better” in an era of ever-escalating and shifting customer expectations.

This is why custom web application development is emerging as more ubiquitous and prevalent than ever. Through custom web apps, organizations create their own internet-based tools to effectively manage customer experiences, business processes and additional functions based upon their specific industry challenges and requirements. Once reserved for large enterprises with extensive resources and teams of developers, access to custom web apps is now democratized for a company of virtually any size to leverage.

The average enterprise deploys 464 custom apps. The widespread adoption of this endpoint, however, increases the potential for cyber risk: Custom web app developers frequently rely upon open source projects to incorporate modules or code. The apps also typically connect to systems and other applications via application programming interfaces (APIs). These practices can lead to vulnerabilities.

What’s more, with COVID-19 fueling a rush to transition to a completely remote workplace environment (combined with rapidly rising competitive stakes), developers are primarily focused on addressing the urgent demand for business productivity, often at the expense of security. The risks extend to the use of web apps in general as well, including commercial and open-source web apps hosted by organizations. If they host the web server, they are responsible for the security of the web app. If they use a Software-as-a-Service (SaaS) provider, they may still be liable for any security issues that their customers encounter.

Organizations need to strongly consider these implications, as web applications account for 43% of breaches – twice the percentage of a year ago, according to the 2020 Data Breach Investigations Report (DBIR) from Verizon. Additional research from Positive Technologies reveals that hackers can attack users in nine out of every 10 web apps, and that breaches of sensitive data remain a threat in 68% of web apps while 82% of vulnerabilities are located in app code. The findings tell us that threat detection and response programs should start with web applications, and certainly not ignore them.

To further complicate the picture, 82% of HTTP/HTTPS traffic is encrypted, and hackers are exploiting this to “hide in plain sight.” Nearly one-third of malware and unwanted applications, in fact, enter networks through TLS encryption. Without comprehensive visibility of this activity, IT teams cannot make effective, data-driven decisions about controls to adequately protect web apps.

Fortunately, a concept called web log analytics (WLA) is helping security teams identify vulnerable blind spots and minimize false positives. With WLA, team members analyze web access logs to uncover anomalous behavior and reconnaissance activities that elude traditional technologies such as web application firewalls (WAFs). While WAFs are still useful, teams should combine them with WLA to better position themselves to defend organizations from unknown and zero-day attacks on custom web apps.

With WLA increasing their visibility, IT teams improve their organization’s ability to protect web apps – whether customized or not – through the following benefits:

  • Teams more effectively investigate attack activity to find out whether they’ve been compromised.
  • Reconnaissance at the very early stages of incidents can lead to automated responses such as “shunning the attacker” by blocking the source IP address. These measures are not foolproof. But they do raise the bar of difficulty for hackers, which often motivates them to move on to less secure targets.
  • Teams correlate malicious activity with vulnerabilities, to prioritize which of the “most likely to be attacked” web apps should move to the front of the line of their vulnerability management program. This enables teams to build a business case that designates where to fund for WAFs, while assisting in WAF configuration decisions.
  • Security decision-makers can justify investment in more expensive, protective controls such as WAFs based on observed attack activity versus a theoretical threat model.

In today’s environment, the digital transformation amounts to “make or break” competitive outcomes for companies. Web apps will continue to play an essential role here, to boost capabilities in a more agile, efficient and cost-effective manner. And, thanks to WLA, they can deploy the apps with elevated visibility of any threats which could disrupt productivity/customer experiences and compromise data. With this, IT teams help their organizations achieve greater business value by ensuring that web apps are not only high-performing, but secure.

What’s Hot on Infosecurity Magazine?