The bleak reality of today: breach after breach after breach

While security consultants certainly don’t always agree on everything, anyone of us will tell you that 2018 was a pretty terrible year, and not just because we learned that the fourth season of USA Network's Mr. Robot will conclude the series. In terms of cybersecurity, last year was quite awful, marked by daily headlines of massive data breaches that left people feeling hopeless and ultimately, numb. Unfortunately, although unsurprisingly, 2019 has so far offered more of the same. Given this reality, it is hardly surprising that a recent nCipher Security report shows that one in five Americans suffers from security fatigue, meaning they no longer trust organizations to safeguard their personal information. This is very worrisome, because security is a collective effort and the stakes for both users and businesses are getting higher every day.

What’s at stake? Only the very survival of your organization...

For individual users, their very identity is at risk. In fact, a recent survey by ERP Maestro found that 37% Americans have already experienced the consequences of identity theft or a related cybercrime. When it comes to organizations, they stand to lose pretty much everything. Last year, an IBM study estimated the average costs of a breach at $3.86 million and that number is undoubtedly even higher today. Financial costs are only part of the picture though, because a major security incident is also likely to result in lost business opportunities and reputational damage. A serious data breach might even prompt a customer exodus and ultimately lead to bankruptcy.

Web applications may be the security Achilles heel of your organization

Evidently, organizations want to prevent the above scenario, which is why companies are increasing their IT security budgets at a faster rate than their general IT budgets. However, many IT security departments are still understaffed, because budget increases aren’t always sufficient and because the growing cybersecurity skills gap makes it increasingly difficult for organizations to recruit IT security talent. Industry research shows that if organizations with underfunded and/or understaffed security departments want to minimize their risk, they should prioritize the security Achilles heel of many organizations: vulnerable web applications.

Web applications are increasingly vulnerable

Web apps are the number one breach vector according to a 2018 report by Verizon, accounting for almost 19% of data breaches. Furthermore, 24% of organizations in a recent survey by Sonatype experienced a data breach because of a vulnerable web application. And while more and more businesses rely on web applications, these solutions are becoming increasingly insecure.

A recent report by Positive Technologies found that 2 out of every 3 (67%) web apps the firm tested in 2018 were critically vulnerable to attacks, a significant increase compared to the year before, when only 52% of web apps contained high severity flaws. Moreover, the average number of critical vulnerabilities per app tripled from 2 in 2017 to 6 last year. Web apps also contained an average of 27 non-critical vulnerabilities, for a total of 33 flaws. Since 83% of those vulnerabilities were the result of poor coding practices, only 17% could be addressed by optimizing the configuration of the web app. Security shortcomings made it possible for attackers to obtain personal data from 18% of the apps that stored and processed such information.

For security consultants, it is equally baffling and frustrating that most of the security holes we identify are well-documented issues that can easily be avoided. The aforementioned research indicates that web applications are no exception to this rule, as the vast majority of probed apps were affected by the following, widely known vulnerability categories:

  • Insecure configurations (79%) in the form of default passwords and settings, as well as improper disclosure of sensitive information about the app, such as crash data that could help threat actors find new flaws.
  • Cross-Site Scripting (XSS) flaws (77%) that allow threat actors to target legitimate users by injecting malicious scripts into the application.
  • Authentication errors (74%) that can make it possible for attackers to manipulate the login process. The most common examples were apps that did not sufficiently limit the amount of times a user may attempt to log in within a certain time period; apps that came with one or more hard-coded passwords; and apps that allowed users to choose weak passwords.

What can organizations do to protect themselves and their customers?

In order to mitigate security risks stemming from vulnerable web applications, your organization can take the following steps:

1. Prioritize security during the development process

Custom web applications represent a great opportunity for your organization to offer unique services that will set it apart from the competition. However, in order to prevent those applications from putting your organization and your customers at risk, it is of critical importance that security is part of the development process from day one. This will require you to carefully consider the security requirements of custom applications and to make sure that the developers you work with actually prioritize these aspects. Security considerations should, therefore, be part of the recruitment process. Nowadays, many businesses try to cut costs by hiring freelance software developers through online platforms like Freelancer and Upwork. However, research indicates that freelance developers have a tendency to cut corners when it comes to security, for example by not adding encryption for stored passwords. You can prevent this by informing potential recruits about the security requirements for your application and asking them how they are going to implement those.

2.  Implement configuration management and patch management

When it comes to open-source and proprietary web apps, your firm should see to it that the applications are securely configured and that updates and security patches are installed in a responsible, timely manner. For more information on this, see our recent whitepaper on security best practices for small and mid-sized businesses.

3.  Regularly perform vulnerability assessments

While the first two steps are important, implementing those will not guarantee that your applications are fully secure. Because of this, you also need to regularly verify the security of your web applications. The best way to do this? Have a security professional perform a vulnerability scan. If you want to know more about what a vulnerability assessment is and how it differs from a penetration test, please check out our recent blog post on this subject.