As digital transformation in our society increases, it is no surprise that the number of cybersecurity breaches and serious incidents rise every year. 2017 has been another record-breaking year and we’ve only just entered November. The increase in data breaches and the targeting of large and small organisations tells us that cybercriminals are increasing in numbers and exploitation capability.
It is important that we analyse the activity of these cyberthreat actors so that we can identify the trends of their behaviour. By understanding how they operate and what they are targeting, we can defend against them more effectively. The Verizon Data Breach Investigations Report (DBIR) is now in its 10th year. The report combines data sets related to cybersecurity breaches and incidents from public and private organisations globally.
At Barrier Networks, we specialise in Network and Application Security (AppSec) and we are witnessing in the industry a reflection of what the DBIR data tells us. Web Applications are becoming the breach vector of choice as you can see in the Verizon DBIR Incident Classification Patterns from the 2016 and 2017 reports. The 2016 report is especially interesting as it shows the statistics for breach vectors used in 2015 shown as a grey line. We can see that the attacks on Web Applications have increased dramatically between 2015 and 2016.
The 2017 report shows breaches via Web Applications are continuing to be the most prevalent.
There are several reasons which explain why Web Applications are increasingly targeted. Many of them will be exposed to the internet so they are accessible to hackers but if you consider how these applications are created, it may help to explain the figures better.
Unlike other software that is exposed to the internet, such as email or DNS server interfaces, many web applications will be created by in-house development teams rather than commercial software companies with mature security practices. Building software and then releasing it into production on the internet is a risky process due to the numerous challenges inherent in secure software development.
When a business is trying to get its latest software release to market so that it can help win more customers, the security of the application is often a lower priority than deploying new features or functionality. Additionally, secure software design and coding has not been a widespread requirement in past years so there are software developers who can create fantastic applications, but they haven’t worked on the security aspects of software development.
Cyber criminals can use web applications to gain access to the back-end databases that store sensitive data records by exploiting security vulnerabilities within the application code. Thankfully, it is possible to implement security controls into the software development life cycle through education, process improvements and security tooling. By leveraging security tools that integrate into the developer’s workflow, you can fix vulnerabilities at the source, enabling them to be remediated faster and with less risk to the organisation.
It is important that we don’t rely too heavily on tooling and it is no different with AppSec. The adage is People, Process and Technology and if you enable your developers with security education (where required) they will thank you for it and your security posture will benefit greatly. Your developers are your biggest asset, so it makes sense to start with them. Your processes that support your development life cycle can be adjusted to allow checks and balances to be utilised that can help improve secure development without impacting delivery timescales too much, if at all. Then lastly, there are security tools available that can integrate into your developer’s current software that can automate vulnerability checks of their source code and provide continuous assessment of their application builds. They won’t replace a penetration test but they will make your penetration tests more effective by leaving fewer vulnerabilities for the pentester to find, and as there will be less to find it’ll be quicker to remediate which means faster deployments.
A common misconception we encounter is that Next Generation firewalls will protect web applications because data sheets advise that they will block SQL Injection attacks and Cross Site Scripting attacks, etc. This is true to an extent, as firewalls can block some of these attacks using signature detection technology, but when providing perimeter security to web applications, we need to consider implementing dedicated web application firewalls (WAFs). A WAF is a purpose-built product that can help protect your application when under attack but also provide protection against newly identified vulnerabilities while developers work on a code fix.
Our web applications are being targeted more than ever so if you do host sensitive data within an application and security hasn’t been a concern until now, please review it before someone else does.