Do you know how many web applications you use in one day? It’s likely more than you can keep track of off the top of your head. You might have also lost track of the amount of data shared with these applications. Most would have different levels of personally identifiable information (PII), such as contact details, driver’s license or passport numbers, and credit card data.
As web applications have further permeated our daily lives, threat actors have honed their techniques to disrupt services and gather PII that they can use for their own gain. 87% of breaches reported to the Office of the Australian Information Commissioner (OAIC) involved contact information such as names, addresses, phone numbers, or email addresses.
How can you protect web applications from these security threats? Many articles talk about tools you can throw at the problem, but I want to go one step further and discuss a few key tactics we use at Galah Cyber.
Types of PII involved in data breaches
Source: OAIC.
Architect applications to have native security
These may seem like bare minimum requirements, but I recommend controlling access to web applications and creating policies. You will need to do more than simply enforce strong passwords; set up multi-factor authentication (MFA), account lockouts for failed password attempts, or even request that users re-verify their identity after a certain period.
Here are a few more measures you can take to add native security to your applications:
Least privilege access gives users only the access needed to complete their duties. For example, administrators have broader access than standard users. Regularly auditing and updating access is good practice for ensuring inactive accounts no longer have permission to modify web applications.
Third-party access management solutions such as Okta and Auth0 manage access controls for you with built-in features. Using these platforms is much easier than managing access yourself.
Open Policy Agent (OPA) unifies policy enforcement across software systems using Rego, a high-level language, for policy definitions. OPA supports you with auditing, compliance, and scalability to manage access controls and security policies in web applications.
Train your workforce
Training in Application Security (AppSec) equips teams with the skills to mitigate security threats in web applications. It involves understanding and implementing DevSecOps tools, navigating framework risks, and developing robust infrastructure practices.
Integrating DevSecOps tools: AppSec training equips teams to use DevSecOps tools for security automation in workflows. Static analysis tools help examine code for vulnerabilities pre-execution, while software composition analysis tools find vulnerabilities in open-source components. Training ensures teams can proficiently use these tools and act on their insights.
Building secure software architecture: AppSec training provides insights into risks and trade-offs of different frameworks, enabling informed architectural decisions. Training helps developers choose the right framework and implement security measures to protect websites and user data. It also covers the secure handling of web-specific elements like cookies to prevent data breaches and maintain website integrity.
Secure infrastructure and decisions: Training emphasises the importance of secure coding practices. For example, Infrastructure as Code (IaC) allows developers to build consistent and secure infrastructure. Training developers on IaC enables them to minimise human errors and inconsistencies that might lead to security gaps.
Continuously assure your security
Security misconfigurations become an easy entry point for threat actors to compromise web applications. The Open Web Application Security Project (OWASP) found that 90% of applications tested for their 2021 survey had some form of misconfiguration, with an average incidence rate of 4.51%.
Measures you can take to assure security include:
Adoption of DevSecOps and quality tools: Complete security testing during the DevOps pipeline to maintain the security and reliability of web applications. As teams implement code changes, testing acts as a checkpoint to identify vulnerabilities early and prevent compromised code from reaching production. Testing for vulnerabilities after production could expose your web application to a zero-day exploit. A DevSecOps approach also saves time and resources by addressing issues during development rather than post-deployment.
Monitor user activity and code changes: Keeping records of user activity and code changes supports you in monitoring potential threats to web applications. These records help detect unusual or unauthorised activities that may indicate a breach. Monitoring code changes also enables other developers to recognise and remediate new vulnerabilities. Your records should show any updates, fixes or new features added. This process also includes logging sensitive events by users and developers, with alerts set up to monitor them as they occur.
Using run-time observability: Run-time observability includes continuous, real-time monitoring and analysis of applications to identify and address security issues. It involves analysing data, such as logs, to proactively detect unusual activities and respond to issues in a timely manner.
Managing a bug bounty program: Bug bounty programs reward external developers for identifying software vulnerabilities. These programs are great for identifying and fixing bugs in web applications, but they also require proper management to mitigate tester biases and data breaches.
Compliance as Code: This automates compliance checks on web applications currently in production rather than applying rules manually. It ensures that developers consistently adhere to compliance requirements and have the necessary documentation if the application requires an audit.
Conclusion
As web applications have permeated much of our lives, they have become targets for threat actors to exploit. Protecting web applications from security threats requires a comprehensive approach that incorporates native security and continuous testing, all backed by developers trained in AppSec.
Enforcing access controls and policies prevents threat actors from breaching your company and modifying web applications. Continuously assuring security during the SDLC also strengthens applications. You should incorporate DevSecOps practices, monitor code changes, implement real-time observability and consider bug bounty programs to find remaining vulnerabilities. Following these key practices enables development teams to enhance web application security, protect sensitive data, and maintain user trust.
Galah Cyber’s AppSec as a Service secures your web applications
Our AppSec as a Service offering ensures that your software applications and related infrastructure are secure, reliable and compliant. Our experts identify and assess security risks to deliver actionable insights and address potential application vulnerabilities at every stage – from the software development lifecycle to applications operating in live environments. Please visit our AppSec as a Service page for more information.