Web applications perform critical functions for business operations and growth; they’re also exposed to the internet making them easy targets for adversaries. This combination of importance and exposure warrants a robust security strategy to ensure your web applications are always running and that a potential front door to your corporate network is secure. From portals, customer relationship management (CRM), and ecommerce, to logistics management and application programming interfaces (API), organizations rely on numerous web apps in order to function. Without an effective web application security strategy, attackers will be constantly knocking until they find their way in, which can result in serious financial damage and downtime for your business.

These recent stats related to web application security tell a compelling story:

  • 22.5% of data breaches begin with web apps1 – Web apps can be directly connected to sensitive data or serve as a steppingstone into the wider network.
  • 50% of organizations have suffered a data breach in the past two years2 – This is an increase of 39% from the previous year.
  • 20,000 new vulnerabilities were discovered in 20213 – In addition, 2021 had the largest number of zero-days ever recorded. For 2022, about 50% of zero-days are linked to previous vulnerabilities, which suggests that some security patches do not address vulnerabilities as comprehensively as they could.
  • 54% of organizations reported unplanned downtime due to an attack4 – This downtime is occurring at least monthly, likely leading to a loss to revenue and operations.

Developing Your Web Application Security Strategy

Your web application security strategy should follow the same principles as your overall cybersecurity strategy, with the focus on three key outcomes:

  • Pre-breach (reduce the likelihood of compromise): Address vulnerabilities, threats, and configuration issues as early as you can and re-assess periodically. This should be performed during every stage of software development, adopting DevSecOps principles for build, launch, and live stages.
  • Point of Compromise (identify and block live attacks): The actual point where your application is being targeted with application exploits or credential attacks. A web application firewall (WAF) can sit in front of your application, inspecting requests, evaluating them against a set of policies, and stopping the malicious ones from progressing.
  • Post-breach (prepare and limit the impact of an attack): This is a critical element of your strategy. You must be prepared for a compromise and have rapid detection and response mechanisms in place so compromise can be detected early, and connected with response mechanisms to disrupt, contain, and remediate the threat.

In creating your strategy, don’t make the mistake of focusing all your energy and resources in just one of the three areas. In my experience, organizations often make the mistake of focusing almost completely on pre-breach measures and/or point-of-compromise prevention. While I would advise beginning with either of the aforementioned, it is imperative that your web app security strategy delivers on both pre- and post-breach outcomes.

Security Can’t Be an Afterthought

Experience has shown that many organizations or IT teams leave web app security strategy as a last-minute add-on, rather than an integral part of the build process, considering security controls and impacts at each stage. You can limit the likelihood of web app compromise by weaving security into your build process. Consider the following points:

  • Threat model — What threats could impact your application? What risk are there to your organization? Data exfiltration, ransomware, and client-side compromise are common adversary objectives when targeting web apps. Identify the objectives that affect your organization, model the attack sequences that could get them there, and apply appropriate controls to mitigate the risks.
  • Scan code — Always scan the code for vulnerabilities before you’re in development, especially if you’re using open-source code. While open source has its benefits, you have to use it responsibly as third-party code can introduce risks, usually inadvertently, but sometimes deliberately. Log4J is still the shining example of the potential consequences.
  • Secure pipe — As there will be continuous integration with your pipeline, set up a process for doing this responsibly and effectively, using methodologies such as continuous integration and continuous development (CI/CD).
  • Vulnerability scanning — Scan the asset as its deployed on a periodic schedule (recommendation is daily), assessing the application from the outside in, from the internal network, and on the host itself to provide a 360-degree view of your exposures and prioritizations.
  • Penetration test — A penetration test goes even further with hands on keyboard attacks, simulating exactly what an adversary would do. Be sure to patch the results from your vulnerability scan first so your penetration testers have to earn their money, as they will provide you with a comprehensive report on any holes missed in the automated vulnerability scan and make recommendations on exactly what needs to be addressed and mitigated.
  • Monitor and re-assess — Constant monitoring is key, including monitoring of the application’s behavior to identify any abnormalities or threats. Applications, threats, and business strategy will evolve, so revisit and re-assess the processes you have in place to ensure they still are relevant and appropriate.

Security is a Constant Journey

Your cybersecurity strategy is ever evolving and needs to cover all aspects of your estate including your web applications. While many managed detection and response (MDR) solutions do not cover managed WAF, it is a standout element of Fortra’s Alert Logic MDR®.

We’re the security ally that ensures our customers have the maximum-security value they need for their WAF, leading to true peace of mind. Collaborating with your team, we develop the best possible security policies and configurations to block the majority of attacks on your web apps. From emerging threat protection, virtual patching, and credential attack protection, to OWASP Top 10, CWE and API protection controls, all optimized through truly expert management. Alert Logic MDR combines SaaS security with 24/7 coverage to give you the managed WAF protection you need.

Like all security, web app security is not a destination you reach, it’s a constant journey. Ensure your web application security journey by partnering with Forta’s Alert Logic MDR. To learn more, watch the on-demand webinar “Securing Web Applications” or check out our 2-minute MDR demo.

Resources:

1 2022 Verizon DBIR
2 The State of Security 2022
3 2022 Verizon DBIR, Google Project Zero
4 The State of Security 2022

Josh Davies
About the Author
Josh Davies

Josh Davies is a Product Manager at Alert Logic. Formerly a Security Analyst and Solutions Architect, Josh has tremendous experience working with mid-market and enterprise organisations; conducting incident response and threat hunting activities as an analyst before working with organisations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.

Related Post

Ready to protect your company with Alert Logic MDR?