February is a month when love is in the air. When Valentines sweethearts woo each other with gigantic bouquets and luxurious chocolates. It’s also the month that our VP of Technology and Solutions JD Sherry warned attendees of RSA Conference 2014 of a different kind of romance at work in cyber space, in his presentation, Bad Romance: Three reasons Hackers Love your Web Applications & How to Break them Up.
The web app problem:
The problem with web app security today is that in many cases it’s just not working. Despite constant warnings from security vendors, industry organizations and even governments, some of the biggest data breaches in recent history have come from successful attacks on the web application layer. Overall, web app attacks formed 22% of hacking actions observed by Verizon in 2013 (DBIR), and a staggering 66% of breaches go undetected for months on end. One notable example was that of a North Carolina fuel distributor, which was hit by an $800,000 cyber-heist in 2013 after its bank made changes to the online banking web app. The changes made the site more convenient to use by simplifying log-ins, but less secure.
The truth is that web apps have long been seen by the bad guys as the soft underbelly of the enterprise; the perfect vector for a successful incursion into corporate IT systems. The fact that they often contain valuable customer or sensitive corporate information puts them even higher on the wish list. It’s no wonder that cyber criminals keep going after them given the number of organizations still getting caught out by failing to patch common SQL injection, cross site scripting, PHP and other web app vulnerabilities.
Time to act
Unfortunately, an application-only approach to security will leave organizations wide open to attack. We must remember the platforms that web apps are built on – the web server and operating system – where vulnerabilities can be exploited to create attack paths which affect the applications above. Time and again, outdated and unpatched versions of these platforms are left in mission critical environments; a ticking time bomb for the business and one which could lead to a successful attack on web apps rich in sensitive data.
Another issue is organizational. Too often in firms today, the IT function is split, reporting lines are blurred, and it’s difficult to get the kind of high level understanding of risk which is so important to crafting an effective information security response. Forward-thinking IT departments are also undergoing a shift in the way they approach security analysis; broadly speaking from an alert-driven response based on incident detection, to an exploration-driven approach predicated on incident discovery. It’s a more proactive, investigative approach applauded by Gartner which could help teams get to the root cause of problems rather than fire-fighting.
The answer to all three issues is to gain a single, consolidated view of vulnerabilities and countermeasures (web app firewall, intrusion prevention and SSL certs) at an application and a network-level, allowing security admins to decide the best course of action in as expeditious a manner as possible. This approach will help overcome organizational blind spots and could, with the addition of actionable vulnerability reports and a risk-based data classification system for web apps, enable that push to exploration-driven security.
Trend Micro’s Web Apps for Deep Security is the only product out there that has combined security testing of app and platform layers plus countermeasure elements and SSL in a single dashboard.
A call to arms
We all know that CSOs are faced with diminishing budgets and calls to do more with less, but web apps remain a major threat vector. After all, business owners just want apps to look good and work well, they don’t care about the underlying security. So how can you drive change in your organization in a way that can keep business and IT happy, and your most sensitive data secure?
Well, it’s about better communication between key teams – and what better way to do that than with a single consolidated view of your entire web app environment? Coupled with executive reporting, it can enable security teams to better liaise with app developers and designers to highlight areas of improvement. This way, we can begin to design security into our apps from the start, and as we all know, prevention is always better than the cure.