As digitisation accelerates across industries, awareness of the risks associated with web applications and their implementation remains reactive in nature. 2020’s Verizon Data Breach Investigations Report (DBIR) confirms 43% of data breaches are tied to web application vulnerabilities – a year on year doubling in the number of attacks.
To help shed some light on the state of web application security, we recently sat down with Nabil Bousselham, Principal Solutions Architect at Veracode to discuss the current state of AppSec, what developments to look out for in the future, and how to best protect your security perimeter.
Ease of Accessibility Also Means Ease of Attack
Companies worldwide have adopted digital transformation with open arms – welcoming greater ease of functionality, information publishing, and decreased costs. However, a growing reliance on web applications and the number of cyber-attacks on them remains a cause for concern. So why has the number of attacks doubled year on year? As Nabil puts it, ‘web applications are easier to attack as they’re easier to access.’
Web applications have been embraced by businesses worldwide as they are an inexpensive and easy way to provide value to their end-users. The move to the cloud has also led to the continuous growth of organisations’ web perimeters – research conducted by Veracode Discovery has found that their customers find up to 30-40% more websites on their perimeter than originally thought.
Unfortunately, this ease of accessibility comes with a cost. Most web applications are accessible worldwide and represent the first attack surface for cybercriminals. A point that Nabil uses to explain why he isn’t really surprised by the increased number of data breaches tied to web app vulnerabilities.
Nabil also points out that scalability is another challenge facing modern enterprise application security, stating that large organisations don’t “have full visibility into all web applications owned by their organization and therefore fail to effectively manage the risk associated with them.”
The Same Old Vulnerabilities
While app development only continues to accelerate as we adopt digital transformation, many of the vulnerabilities that plague code today have been around for years. In fact, according to Veracode’s 10th State of Software Security Report, the same vulnerabilities seen in libraries several years ago can still be seen today.
Nabil expands by stating that again, the issue is not necessarily related to new vulnerabilities but rather an issue of scalability. One example he gives is Cross-Site Scripting vulnerabilities – Both categories are known for many years, but still prevalent in almost half of web applications due to customers’ inability to test and remediate the vulnerabilities at scale.
Training developers to incorporate security from the beginning of the development cycle is also as important as testing. At Veracode, he continues, ‘We try to create a level of technical, risk and compliance awareness for developers in their mostly-used programming languages to help them understand and adhere to industry standards as OWASP, SANS, PCI’.
Strong Foundations for Strong Security
Despite a significant increase in the number of scanned applications, vulnerability-based attacks are seen to have become commonplace. Due to the increase in the number of open-source libraries available in development, Nabil has found that attackers are taking advantage of known vulnerabilities within these repositories.
In fact, he tells us that many developers have an ‘out of box trust’ in components developed externally – neglecting the security of third-party code in favour of scanning their own. As developers increasingly ‘compose applications, as opposed to working on them from scratch’, he recommends that teams think about scalable ways of detecting the libraries, knowing the risk, and remediating issues.
One way of addressing this challenge is by ‘shifting left in security testing and remediation’. Through a shift in the awareness, empowerment, and enablement training, he believes that developers will start to incorporate security into the development cycle, rather than approaching it reactively.
Make Sure You Pick the Right Tools for You
A common theme throughout our talk with Nabil was the challenge of scalability. As the use of open-source libraries ‘skyrockets’, many organisations are unable to maintain complete control over the governance of their perimeters. He continues by stating that the issues don’t lie with a particular programming language, but rather ‘scalability, control, and governance of the programme’.
Static code analysis, dynamic analysis and software composition analysis were three ways in which Nabil detailed teams can detect, protect, and fix security flaws and vulnerabilities – prefacing the advice by making it clear that it depends on the type of issue you want to address.
While static code analysis focuses on the testing of the first party code, customers would still need Dynamic analysis (DAST), also known as black-box testing, to enable organisations to identify security issues in web applications that are running within a production environment.
The presence of commonly occurring vulnerabilities is determined by directing a series of requests to a web application and evaluating the responses received. Dynamic analysis can precisely detect active, exploitable vulnerabilities because no modelling approximation or abstraction is necessary.
One advantage of dynamic analysis technology is that it mimics how a hacker would attack the deployed application through its web-accessible interfaces. Dynamic analysis can detect the subset of application flaws that represent the obvious and easy vulnerabilities for malicious outsiders to attack, particularly attacks designed to penetrate the perimeter that your software applications create around your business processes.
Some examples of vulnerabilities include cross-site scripting, SQL injection, and command injection. Remediating application and configuration flaws found by dynamic analysis techniques enable enterprises to rapidly improve their application perimeter defences.
Mitigate the Risk of API Attacks
The world of microservices has greatly expanded over the past few years, introducing new API implementations as well as new vectors for attack. To finish our sit down, Nabil gave us his top three recommendations to mitigate the risks of API attacks:
- Start with security at the beginning of the development process
- Enable developers to think about security and focus on remediation, not just detection.
- Choose a testing solution that provides accurate results without scarifying scalability.
For externally developed applications, he recommends establishing a Vendor Application Security Testing (VAST) – a form of testing that Veracode offers its enterprise customers, allowing them to have governance over your perimeter while not affecting how your business runs.
Veracode’s Olivier Melis will be joining us for the Panel Discussion ‘How Can we Reinvent our Cyber Security Models to Build Trust in the Digital Era?’ at FranSec 2020. Learn more about his session and the many more in our highly topical agenda at france.cyberseries.io/agenda
View our full Speaker line-up here & sit back and secure your seat online on 24th – 25th June at france.cyberseries.io/register
Find out more about how Veracode’s solutions can help protect your digital assets by visiting veracode.com
About Olivier:
Olivier Mélis évolue depuis près de 25 ans dans le domaine de la sécurité informatique. Après avoir occupé avec succès des fonctions commerciales au sein de Thales, Symantec ou CyberArk, Olivier a rejoint Veracode en 2019 pour prendre en charge le développement commercial du spécialiste de la sécurité des applications sur le territoire français.
