Web applications are increasingly a gateway to successful cyber attacks. In this article Aatish Pattni looks at the threats posed to web application security - and how these can be successfully addressed.
One increasingly targeted component of organizations' IT estates is web applications. Recent victims of attacks targeting web applications have included British Airways, leading to the theft of customer payment card details; Equifax, where over a million records containing personal identifiable information were stolen; the GitHub software developer platform which was taken in down in the largest ever DDoS attack; and a number of European banks, who saw their Internet banking applications taken offline in the WebStresser attack.
These attacks on web applications can be grouped into two main categories: data breaches that aim to exfiltrate sensitive data for re-use or re-sale; and distributed denial of service (DDoS) that are designed to take websites offline to impact revenue. Both of these methods offer criminals a potentially easy, low-cost, high-reward target, but it's not as if this is a new attack vector. So, what has prompted this recent escalation in the web application war?
The changing nature of web applications
The single biggest reason is the changing nature of how applications are created and owned. In the past few years there has been an exponential rise in real-time data requests from customers through multiple devices and through third party applications. To satisfy this demand traditional software engineering principals have been abandoned in favour of agile approaches such as DevOps.
Applications are now typically developed within lines of business, and away from the remit of traditional IT departments. Development teams work in a manner that is flexible and agile, to meet the demands of the business and its consumers without being burdened by legacy internal processes.
However, this approach often leads to a lower appreciation of coding risks and the quality assurance process gives less consideration to security vulnerabilities. Several external changes have further amplified the capacity for this approach to be seen as ‘successful’ within the business.
The code repository boom
One such critical external change has been the rise of open source code repositories that have become the lifeblood of any modern developer. Instead of creating thousands of repetitive instructions to perform standardised functions, a developer can now create a lookup to major code repositories such as GitHub where a pre-defined piece of open source code can be chosen to speed up development time.
These code repositories present a considerable – and often overlooked – security risk as they create a dependence on external code that is often unvetted. If the code is removed by the original developer the application would run with errors, or be disrupted all together. More worryingly, several recent attacks have been linked to modified code in repositories.
This has prompted many application developers to opt to use web development platforms; essentially outsourcing the underlying technology to an organization that specialises in developing applications (e.g. WordPress, WIX, Weebly etc). However, this is not without security risks, as the underlying platform may have a significant number of vulnerabilities. And, given the popularity of these platforms, they are closely monitored by threat actors seeking to exploit those emerging vulnerabilities.
Devices, APIs and cyber threats
The above issues have been further complicated by the increase in the number of bots and applications that require access to other applications, creating a growing number of machine-to-machine communication channels. At the heart of this sits the Application Programming Interfaces (APIs) that play a vital role in ensuring that devices can automatically connect and share information.
But while APIs create a new automated way of communicating between applications they create a significant back-door that attackers can exploit. Given the low state of protection and monitoring for APIs, threat actors are investing a large amount of time into finding the APIs used by web applications in order to connect directly, and exfiltrate data.
Domain Name Server (DNS) risks
These flaws in the provisioning of web applications are compounded by DNS risks, which can be targeted with a number of attacks that cause disruption to a web application or data exfiltration directly from end customers. For instance, in order to re-direct legitimate traffic to a fake site, many threat actors will also manipulate the records of a DNS server by creating a false IP address entry that points to their web application. In doing so the end user is often unaware that they are not on the legitimate site, and will un-knowingly volunteer their credentials to the attacker.
These attacks are often run in conjunction with DDoS attacks, which as we have already mentioned, aim to knock web apps offline and extort ransoms from victims.
Securing web applications
Given the tangled web of connectivity and coding required to power the web applications that businesses now so commonly rely on, what steps can be taken to ensure that they remain secure, and win the battle against attackers?
As a starting point organizations should refer to The Open Web Application Security Project (OWASP), an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Each year the organization releases a list of the 10 most critical web application security risks, commonly referred to as the OWASP Top10.
While businesses should implement protection for the OWASP Top 10 to ensure a standardised level of protection, it is important to note that many of them are generic mitigations against common attacks and could also create false positives by preventing legitimate traffic.
As such the most important factor of web application security is to understand the risk exposure of an application. This can be done at a holistic level by asking three key questions of each stakeholder within the business:
- What is important? Look at the web application from an enterprise wide risk perspective.
- What is dangerous? What are the threats that are applicable to this application based on its exposure? E.g. Consider API threats if external APIs use the application.
- What is real? Of the dangerous threats, which are realistic to expect and affect what is important?
Answering these questions will help to identify a realistic risk profile, enabling security and development teams to work in tandem to ensure applications are not left exposed. To help with this there is a vast array of off-the-shelf security controls for web applications, which should ideally be implemented in stacks according to the application’s risk profile to provide protection.
However, these are unlikely to be future-proof given the unprecedented rate of change. As such it is no longer possible for human-managed security systems to keep up with the pace of change that applications face through business demand, and with the evolution of external threats.
Modern security controls need to be built as automated systems that can dynamically adapt to changes in the environment, and block attacks before they can reach the application itself. And ultimately this level of sophistication requires trained machine-learning algorithms that can generate intelligence from both the external connection and back end application. With these tools in their security arsenal, organizations will be well positioned to win the web application wars.
Aatish Pattni is Head of UK and Ireland for Link11.