Web Application Security
The leading vector for cyber-attacks
More than half of all breaches involve web applications (Source: Verizon DBIR) — yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production (Source: SANS).
It happens because it's not easy to assess security. Identify security bugs is a challenge nowadays that requires not a one-size-fits-all approach, but a combined approach to maximize the identification potential and then move to vulnerability remediation. This approach should contemplate a well defined application security program, manual pen testing, manual code review, automated scanning and training for developers.
The Leading Vector for Cyber-Attacks
- Freely available tools can be used to exploit impactful vulnerabilities such as SQL Injection (that could lead to access unauthorized data in a database);
- Defenders have to protect web applications 24/7, while attackers can launch attacks at will;
- It's hard to attribute attacks in the cyber space, thus the strategy to legally accuse attackers don't work;
- The increased attack surface is a problem because web applications are a mix of open source components and a customization on top of it. Either a vulnerability in a component or in the customized code can lead to a serious business impact;
- The pressure to release the application to market tend to overlook security considerations and ship flawed software.
Securing Web Applications
To secure web applications only manual analysis won't do, because you can't scale. Only automated only won't do, because business logic flaws won't be detected. Only training won't do, because developers need resources to protect applications. Of course every individual activity helps, but you have to combine them all if you want to defend from attackers.
- Automated Analysis: scale security to test all your applications by using automation to test living servers and to analyze source code for vulnerabilities;
- Manual Pen Testing: after an automated analysis, identify complex vulnerabilities and tailored vulnerabilities for the business context;
- Manual Code Review: after an automated analysis, identify maliciously put backdoors, logic bombs and harmful code;
- Application Security Program: no tool can fix a broken process. Secure your entire software development lifecycle by adding security checks in each phase;
- Training for Developers: developers should be aware of security vulnerabilities and how to program defensively. Few hours of training can save hundreds of bugs, thus saving time and decreasing the cost of fixing bugs.
It's simple and has only 2 steps:
- Identify and fix immediate vulnerabilities: the first step is to find and fix immediate security vulnerabilities in production application and servers using a combination of automated and manual analysis;
- Fix the process and train people: then we assess the development and security processes to identify and fix potential activities that lead to unnecessary vulnerabilities and train developers for future development.