Verizon describes web app attacks as any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. Key findings of the 2016 DBIR highlighted the information and retail sectors as top industries, alongside financial services, under attack. The report also revealed that “the breaches within this pattern are heavily influenced by information gathered by contributors involved in the Dridex botnet takedown. Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers, dominate the actions. Defacements are still commonplace and CMS plugins are also a fruitful attack point.”
“This is why web application security matters,” says Anton Jacobsz, MD at Networks Unlimited, a South African value-added distributor of converged technology-, data centre-, networking-, and security technology solutions, operating throughout Africa. “Victim demographics range far and wide, and when it comes to having your data compromised, no country, industry or business is bulletproof.”
Lori McVittie, a subject matter expert on cloud computing, cloud and application security, devops and application delivery at F5 Networks, a Networks Unlimited partner company, adds: “The application is, by its purpose, a public-facing resource. We put it out there and expect – nay, we encourage, we entice, we beg – consumers to interact with it. To use it. To install it. To visit it often. It is an application world, and that means applications are critical to every aspect of business, whether that’s customer facing, employee-facing or internal systems running. We rely on applications for just about everything we do these days, and yet when we mention security we never seem to remember it. It’s really about time we start paying more attention to application security, and not just data security or network security or encrypted communications.”
She explains that data is most vulnerable when it is in process in the application. That is because at that point it is in plaintext, and completely under the control of that application. The application can display it, modify it, and deliver it to whomever (or increasingly whatever, given the rise of bots and spiders and malware) can coax it out.
“That means we need to pay more attention to securing applications against exploitation and attack. From the platform (the web or app server) to the protocols (TCP and HTTP) to the actual code itself,” MacVittie continues. “We need to scan and scrub and discover and defend against the myriad methods used by attacks to exploit the entire application stack.”
Web application attacks are on the rise and have been for a while. The attacks doubled in frequency from under 20 percent in 2012 to 40 percent in 2013 according to F-Secure Labs, and Neustar found in 2014 that 55 percent of DDoS targets experienced smokescreening (volumetric DDoS as a cover for the real, application layer attacks) with nearly 50 percent having malware/ virus installed and 26 percent losing customer data.
“Application attacks are a real and significant threat, especially as they migrate to the cloud where fewer options for protecting them may be available,” MacVittie points out. “The native services available in the cloud focused on security are all about access and encryption. None of them are ‘application layer’ security and none provide the coverage necessary to inspire confidence in withstanding an attack designed to disable, corrupt or exfiltrate data by exploiting the application itself. That means you need another solution; another service designed to protect applications and the data it is responsible for handling in the cloud just as you do in the data centre.”
She advises that that may mean a cloud-enabled web application firewall (WAF) or WAF as a service, or at a minimum a thorough application of the best practices recommended by OWASP on every application deployed in the cloud.
“Cloud security may be viewed as a shared responsibility, with the provider and the customer taking on the chore of different aspects of securing ‘the cloud’, but application security is 110 percent the responsibility of the one who puts that application in the cloud in the first place. That’s you, and that means you need to consider carefully what services and solutions you’re deploying to protect that application from what inevitably looks like the attack that’s going to come your way,” concludes MacVittie. “Application security isn’t like an expensive bodyguard. It’s not something that only the VIP apps get. It’s more like personal security, and it’s something every application that presents itself in public should have. And that’s true whether those apps are in the data centre or in the cloud.”