- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Are you buying or selling something online? Or perhaps doing research, hiring a new employee, or managing a customer relationship over the web? If you’re doing any of these things (and more), there is likely an Internet application right in the middle of these transactions.
Given the amount of sensitive information that is transmitted digitally every day, the web is an obvious target for malicious hackers. And the proliferation of insecure web applications makes web-based hacking attacks even more attractive, and even more profitable. At the same time, each successful attack can cost the owner of a hacked application or site dearly, in terms of monetary loss, customer defections, and brand reputation.
Remember, when a website or web application is attacked, the blame falls on the owner. This makes protection an essential survival skill for today’s businesses.
Web applications are the most exploited means of illicit entry by hackers. According to the Verizon 2016 Data Breach Investigations Report, web application attacks represented 40% of all data breaches last year. The total global cost of data breaches today is $360 billion, and according to the Ponemon Institute, the average total cost of a single breach is $4 million.
So how do you keep “the bad guys” away from your sensitive information?
To beat them, you need to join them – at least for a while. Learn to think like a hacker. Engage the services of “an ethical hacker” to see if you can break through your own defenses. It may seem counter-intuitive, but the best way to discover your application vulnerabilities is to hack yourself first.
Hacker or security attacks can come in the form of spoofing, DoS attacks and more. And unfortunately for many websites, there are multiple ways to exploit them:
· Malware that infects desktop computers can reveal administrator or FTP credentials.
· Vulnerabilities in the server OS can provide a hacker access to the files that make up the website.
· Web applications that power dynamic websites present multiple ways for an attacker to exploit a site and connect to the website’s database.
· DoS attacks can cause a disruption in web services. If any essential business processes are run over the Internet, these can cease to function as well.
Why do hackers do what they do?
· “Grey hat hackers” are generally hacking for entertainment.
· “Ethical hackers” are seeking out vulnerabilities in order to stop malicious hackers.
· “Black hat” hackers such as s1ege are hacking for financial gain or to further an ideological or political agenda. s1ege was recently quoted as saying, “the movement is a retaliation to the 1% as elite banking cartels that are putting the world in a perpetual state of chaos."
Needless to say, there are many more groups out there attempting to use “the hack” for their own personal agenda.
So how do you protect your business from these kinds of sophisticated, ongoing, and constantly evolving threats?
Here are 6 Proactive Steps to Securing Your Web Applications
1. First, make sure that you are taking all of the obvious steps to strengthen your web application security (continuous and dynamic assessment, prioritization, threat intelligence analytics, etc.).
2. Make AppSec an integral part of your software development lifecycle (SDLC); bake it in so you’re not reacting to problems after the fact.
3. Consider hiring an ethical hacker to find vulnerabilities before the bad guys do. These hacking experts have the same skills as bad-guy hackers but choose to use that expertise for good. They’re up against a formidable array of troublemakers, and can be a “game-changing” extension to your security team, giving your developers valuable insights about the security of your applications.
4. Have your developers fix found vulnerabilities, creating a closed loop process that includes penetration testing to identify and fix problems proactively.
5. Position your AppSec program to implement measures throughout the code’s lifecycle, preventing gaps in the application security policy or the underlying system through flaws in design, development, deployment, upgrade, or maintenance of the application.
6. Use best-in-class application security technology to conduct always-on assessments that constantly detect attack vectors and scan your application code.
Using these simple AppSec strategies, you will know where you are vulnerable, what applications need work, and how to beat the bad guys at their own game. You will also win more times than not as you navigate the business risks associated with operating in today’s digitally connected world.