Web applications as an attack vector is nothing new, although many may not realize just how severe the vulnerabilities really are, how easily and how often vulnerabilities are exploited. Worse still, is we have allowed them to stick around; many web developers and IT decision makers do not take web application security very seriously. Mozilla recently gave 93% of websites it reviewed a failing grade for protecting against cross-site scripting (XSS) attacks, for example. Web application security tends to be handled as an afterthought, considered only after other security issues have been considered.
A recent study, conducted by Positive Technologies, found that 44% of web applications are vulnerable to data leakage attacks through numerous vulnerabilities. Cyber criminals can easily exploit vulnerabilities in applications handling sensitive data such as financial, e-commerce and healthcare to steal personal information.
Additionally, 48% of the applications were identified to be vulnerable to unauthorized access, with 17% being at-risk to vulnerabilities leading to complete takeover by cyber criminals. The most prevalent problem, according to the report, regardless of the programming language in use, is cross-site scripting.
The most alarming finding may be that 100% of web applications tested had a vulnerability of some kind.
Application Security and Awareness
Over the last several years, despite global increases in cyberattacks across all industries, cyber security awareness has seen a marked uptick across the board from general staffing to the executive level. While this is positive news, web application security remains poor and is still not being prioritized sufficiently during the web development process. Many of the issues found in web application security can be prevented almost entirely with proper implementation of secure development practices, including code audits from the beginning of development.
Why the disconnect? Why is web application security so far behind? To be brief, there are a few main causes. To start, web application security still remains an afterthought in the web development process. Human beings interact with technology in ways that introduce vulnerabilities. Unfortunately, web developers are not always brought up to speed with web security concerns. It becomes near impossible to write secure code if there is not a security element present to identify vulnerabilities.
Web Applications as Targets
According to the report, data theft is the key motivator for hackers who target web applications. While data leakage is a problem for any organization, whether customer data or corporate trade secrets, the repercussions of stolen data have been increased of late due to privacy acts including the likes of GDPR and PIPEDA.
Any type of customer data loss can result in a cascade of problems for executives and industry leaders. Financial losses can quickly land in the hundreds of thousands to millions of dollars. In direct parallel, with more effort put into data protection, stolen data will increase in value in the dark web thus encouraging cyber criminals to improve their tactics as organization improve security.
How Can an Organization Protect Their Web Applications?
IT leaders, including CISOs and executives, should start by building cyber security measures into the web application design process as a way to keep customer data and overall security as a top priority.
For web application security, that means customer data security needs to be a primary consideration from as early as the planning stages in the web development life cycle. Presently, this is not the case and so this represents a truly monstrous task for the industry as a whole.
As the study points out, it’s very clear that security issues in web apps just aren’t getting the consideration they require, and annual reviews are finding the same mistakes repeating themselves year after year.
Relaxed security in the software development stage may have been overlooked in the past, however, as privacy regulations, including GDPR and PIPEDA, begin to take hold, vulnerabilities found in any organizations web applications will result in more than just a nominal fine; brand damage and financial repercussions may inflict irrevocable damage to an organization regardless of their size.
For more information on how Packetlabs can improve your web application security, please do not hesitate to contact us.