Web application attacks are on the rise. A recent study found that they were the primary cause of reported breaches in 2017 and Q1 2018. This marked increase is partly due to the greater variety in web application vulnerabilities, as new attack vectors are found and exploited.
Lack of attention to security is also an issue, with another study discovering that 96 percent of all web applications contain some type of vulnerability that could be used to harm users.
Application developers and security personnel need to be aware of these emerging web app vulnerabilities, as well as the cybersecurity practices you should put in place to rev up application security policies and procedures. Knowledge is key when it comes to defending your applications and their users, especially as new threats appear (and attackers jump on the chance to exploit them).
Education: The top web application vulnerabilities in 2019
1. AI-powered attacks
Artificial Intelligence (AI) delivers many benefits to web application development, allowing developers to create more meaningful and robust products. But AI is also being used for malicious activity.
Attackers can use AI-powered hacking algorithms to find the tiniest application vulnerabilities and analyze complex user behaviors and scenarios. Analysis that would normally take weeks and months to complete can be done almost instantly, arming attackers with information they can use to exploit web applications.
One of the first AI cyber attacks detected was in late 2017, when attack software was able to disguise itself by mimicking normal behavior, making it harder to detect. Automated bots can also be used to launch attacks, as they become more difficult to differentiate from a human and are increasingly good at exhibiting “normal” behavior.
The best defense for this type of attack is to use AI for good. Using AI to protect your app is the future of application security, and a direction the industry is moving toward. Build it into your security system for proactive monitoring and incident reporting.
AI can help reduce false positives, prioritize threats, and automate the remediation process. Companies will also need to improve authentication measures so they are harder for automated bots to circumvent. The typical security questions, usernames, and passwords will not be enough. Consider adding software or hardware tokens if you haven’t already, for example.
2. Open source security threats
Open source components are commonly used in web application development. They shorten development time, allowing developers to add functionality to their web apps without having to write the code from scratch. That added functionality contributes to a better end product while staying within budget and timeline.
But these benefits go right out the window if security is not kept in mind. We always recommend security testing for all open source components. Don’t assume they are secure just because someone else has used them.
This is going to become even more important in the coming year. Why? As open source becomes more common in web application development, it becomes a bigger (and more tempting) target for attackers. If they can find an exploit for one open source component or library, they can potentially hit multiple applications at once. And because these libraries and components are open, it makes it much easier for them to find those exploits.
A recent analysis on open source security found that the use of open source components is on the rise, but focus on security is not keeping pace. One-third of enterprises examined have still not patched vulnerabilities stemming from open source components, and over half of the threats found were deemed critical.
The first step to defend against these attacks is to only use open source code from trusted repositories—however obvious this might seem, it’s a precaution remarkably few developers bother with. An active user community is a good sign that developers are currently using and (hopefully) testing the open source components for security issues.
Beyond that, Software Composition Analysis (SCA) tools, such as Black Duck Hub and OWASP Dependency Check, should be used to scan your source code for vulnerabilities before deployment.
Another important, deceptively simple precaution is to create a working document to track open source components in your application—all of the components you are using, where they are being used, and which versions are currently deployed. In the event of an attack, this document will allow you to quickly identify the affected applications or lines of code, helping you remediate the threats quickly.
A formal remediation strategy can also be used to make sure your team is ready to act quickly if a vulnerability is discovered. The faster you move, the less damage is done.
Ransomware was one of the most prevalent types of attack in 2017, up 46 percent, according to the 2018 Symantec Internet Security Threat Report.
Ransomware often makes us think of an entire network being locked up from an attack (as in the case of the WannaCry breach), but it can also happen at the application level. In that case, an application is attacked in such a way that it can no longer be used properly. The attacker demands a ransom in exchange for releasing the application.
Web applications are not safe from ransomware attacks. The most common route of entry would be through a software package used in a web app. An attacker could embed a ransomware toolkit into the package, and developers could unknowingly install the package as part of their web application.
As outlined above, developers often use third-party packages in web application development, and many of these open source solutions are vulnerable to exploitation, making it all too easy for attackers to create malicious versions and trick developers into using them.
To protect your web applications from ransomware, you should, of course, perform regular security testing on all third-party components used in web applications. We also recommend using a package manager such as Sonatype to create a trusted repository of packages for developers to choose from.
4. Attacks on known vulnerabilities
Gartner predicts that through 2020, 99 percent of vulnerabilities exploited will have already been known about for at least one year—“known” meaning that these vulnerabilities have been identified and disclosed, but not fixed. Using components with known vulnerabilities exposes your application to attack.
The Heartbleed vulnerability is a prime example. This vulnerability can be traced to a single line of code that put sensitive data at risk. Many companies scrambled to update the patch once it was exposed. Failure to do so for other vulnerabilities opens your organization to a damaging attack.
It is important to address vulnerabilities as soon as they are found, especially ones that can jeopardize sensitive information. Educating your developers on the importance of application security can motivate them to give security the attention it deserves.
Security needs to be integrated into the design and development process from day one. There are ways to make this integration easier, as you will see when we discuss cybersecurity trends for the coming year.
Prevention: The top cybersecurity trends in 2019
1. Bug bounty programs
Bounty programs, in which attackers are paid to try to break into applications and systems to expose vulnerabilities, are becoming more popular. These “friendly” attackers help improve the security of your application by finding weaknesses before malicious attackers exploit them. This approach fills gaps that can be missed by automated security testing.
Sometimes a human touch is needed to find new ways to expose an application to attack, and attackers who find new or rare vulnerabilities are being well-rewarded. Bug bounty firms such as HackerOne manage vetted attackers and help organizations find vulnerabilities faster.
2. Application vulnerability management
As we mentioned earlier, security needs to be integrated into the development process. More organizations will begin to use tools to make this process easier. An application vulnerability manager streamlines the application security testing process by removing duplicate results from multiple testing tools and prioritizing results so you can attend to the most serious threats first.
Quality application vulnerability management tools integrate into your developers’ work environments, such as Eclipse and Jenkins, so vulnerabilities can be viewed and tracked without forcing developers to switch to another application. A tool such as this allows for comprehensive application security testing without slowing down the development process.
3. Data Security Governance programs
More organizations will begin to adopt Data Security Governance (DSG) programs in 2019. Data governance protects the integrity, availability, usability, and security of all data within the organization, including your applications.
A formal DSG program details and implements standardized policies and procedures so that user and business data is protected more efficiently and securely. Gaps in security are identified and addressed as part of this program. Your DSG program should be part of a larger IT governance strategy so it fits into your overall security plan.
4. Runtime Application Self-Protection (RASP)
RASP improves both web and mobile application security by detecting attacks in real time. An agent is installed within the application and monitors the app for attacks and protects against them.
It adds a layer of protection to the application while it is running, examining every executed instruction and determining whether or not any given instruction is actually an attack.
It can be used diagnostically, setting off an alert or alarm when an attack is found. It can also be used for self-protection and actually stop an execution that would result in an attack.
The global RASP market is currently expected to grow at a Compound Annual Growth rate (CAGR) of 29 percent through 2022.
5. Less reliance on passwords
While we don’t expect passwords to disappear completely (they are just too deeply established), a shift will happen, placing more emphasis on other recognition technologies. This shift will occur more frequently in medium to high-risk applications to make them more secure.
Facial recognition is an example that will improve web and mobile app security. These more advanced verification procedures are becoming more essential as the number and variety of threats rise.
As web application attacks continue to increase, developers and security teams must work together to prevent or defend against threats, new and existing alike. A comprehensive application security strategy that incorporates security into the entire application design, development, and deployment process is the best way to protect your business and users from an attack. This strategy must include education on the most recent attack vectors and advances in cybersecurity so your defenses are always at their best.