Download
1 / 9
90 likes | 98 Vues
Web application security is critical to your online presence, preventing cyber attacks and mitigating the risk of data fraud and theft.<br>
E N D
https://www.briskinfosec.com Briskinfosec Technology and Consulting Pvt Ltd Mobile: 8608634123 https://www.briskinfosec.com https://www.facebook.com/briskinfosec https://twitter.com/briskinfosec Enterprise Web Application Security: Opportunities and Risks
https://www.briskinfosec.com Enterprise Web Application Security: Opportunities and Risks Crisis accelerates change in recent years, it is difficult to find a sector of the economy that does not use web applications, and during the pandemic, their role in the professional and household environment has increased many times. Even companies that are not directly related to goods, services and financial transactions have reorganized their work with an eye to online, updated websites and acquired mobile applications. Probably, soon there will not be a single area of human activity that does not have a web interface. Rapid digitalization is forcing companies and institutions to rediscover IT, rethink approaches to organizing processes and update tools for their automation. The new norm has become the location of most corporate systems outside the office. Cloud platforms have become the new infrastructure for building and scaling web applications. Since the commercialization of the Internet, companies have faced the need to rapidly create and improve digital services. In a global competitive environment, the race for new features and a shortage of developers leave little time and resources to systematically address vulnerabilities and ensure data safety. In many companies, information security (information security) conflicts with business for resources and is perceived as an obstacle to development. Therefore, often insufficient attention is paid to security, and the response to threats follows when the victim of cybercriminals is already in the news. Convenience or safety? Blurring the boundaries between the Internet and the corporate network increases the dependence of the internal IT-economy of companies on the outside world, and at the same time increases the risks of cybersecurity. To operate on the global scale of the Internet, companies have to rethink their security strategies and urgently build up their information security competencies. Each advantage can have a downside, so the main goal of any information security strategy is to find a reasonable balance between convenience and security.
https://www.briskinfosec.com Two factors have a significant impact on it - remote work and the penetration of public web applications into the corporate environment. Remote work There is no escape from profound changes in working relationships, even if you do not work for an IT company. Remote work, which prior to the pandemic was perceived as a means of attracting qualified employees before the pandemic, became the only way for many companies to continue operations during lockdowns. A large-scale test drive proved the ability of distributed teams to do complex projects - from filming TV shows to designing spaceships. This means that the demand for collaboration platforms and communications tools for organizations will grow, as will the headache of information security departments. Whereas earlier the "remote" capabilities were limited to access to corporate mail, today employees need to provide access to applications (intranet, CRM, help desk, etc.) from any place where there is an Internet connection. The situation is complicated by the variety of devices used by employees and the need to maintain a sufficiently high level of "digital hygiene" in their use. Public web applications in a corporate environment The service model of using software (SaaS, Software-as-aService) allows consumer companies to save on the development, support and operation of applications, and providers of such services - to develop global markets. It is no coincidence that Salesforce CRM, one of the most famous SaaS companies, has a market valuation of over $ 200 billion. Companies from all sectors of the economy - from Visa to
https://www.briskinfosec.com Starbucks - are becoming service platforms and provide partners and customers with the ability to interact with their own systems over the web. Integration of web platforms using application programming interfaces (API, Application Programming Interface) has become widespread. Such interfaces are based on the HTTP protocol and allow exchanging data and embedding the necessary functions of the web platform into the customer's system. Public web applications carry out critical transactions and accumulate sensitive data. The potential damage from data loss and interruptions to such services is great, and the rates are steadily increasing. We identify risks The widespread use of public web applications and telecommuting increases employee productivity, but complicates the protection of information in companies. The goals described by the classic "confidentiality - integrity - availability" triad are superimposed on the priorities of the business, which is important for the convenience of tools, the ability to quickly increase resources with increasing workloads and control of budgets. It is important to strike a balance in achieving these goals. On the one hand, information security should not be limited to a purely formal set of events held in a parallel world for business. On the other hand, it should not undermine the efficiency of the company and block the work of employees. It is important to take into account the real needs of users: in organizations with draconian prohibitions, most of the tasks are solved using "shadow IT" - external cloud drives, public emails, etc. Providing information security for web applications follows the traditional scheme, the first step of which is to identify threats, identify security problems and vulnerabilities. A universal recipe for this is hardly possible, so I would like to highlight the following risks: minimization of vulnerabilities at the stage of software development and integration;
https://www.briskinfosec.com control of access rights to systems; taking into account the risks of impacts on the Internet infrastructure. Design-level software security Modern web development, as a rule, does not start from scratch, but is an integration of ready-made frameworks, libraries and microservices. It is important to understand the original ingredients throughout the web application development lifecycle and take steps to reduce the likelihood of vulnerabilities emerging. The right approach at the software design stage will reduce the cost of protection in the future. How to systematically approach risk accounting when creating a web application? The basis of any information security system is the threat model. It formalizes the issues of concern - that is, the critical functions of the application, the potential sources and ways of implementing threats - and helps to assess the possible damage, as well as select measures to prevent it. The OWASP Top Ten list published by the non-profit organization OWASP Foundation is considered the starting point for acquaintance with the main threats and risks of information security in web applications. The list is based on independent research and industry surveys on the prevalence, detection complexity, and ease of exploitation of web application vulnerabilities. The OWASP list is not exhaustive, but reflects only the most relevant threats at the time of the rating. The document is updated every 3-4 years, the last update was published in 2017.
https://www.briskinfosec.com Top 10 OWASP Web Application Security Threats 1. Injection of malicious code 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Disadvantages of Broken Access Control 6. Incorrect Security Misconfigurations 7. Cross Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging and Monitoring Other OWASP Foundation projects support The Web Security Testing Guide (WSTG) and Mobile Security Testing Guide (MSTG), which provide guidance on how to model threats and identify application vulnerabilities during design and operation. Is the internet infrastructure so reliable? The globalization of IT operations is forcing companies to think about the reliability of the Internet. The uninterrupted operation of a web application is not possible if the underlying Internet infrastructure is lacking resources or if the functioning of network services and protocols is disrupted. DDoS (Distributed Denial of Service) attacks and disruptions in the routing of user requests can be identified as the key risks in relation to the Internet infrastructure.
https://www.briskinfosec.com Extensive exposure of web applications on the public network poses a threat to become the target of DDoS attacks. Weakly protected computers and other Internet devices become the target of virus distributors and other attackers. Combined into a botnet, such devices represent hundreds of thousands of “loaded guns” capable of triggering a signal and directing malicious traffic to the attacked application. As a result, the communication channels overflow, the server resources run out and the application becomes unavailable. Detecting and blocking DDoS attacks is complicated by the distributed nature of traffic sources, each of which individually can look like a legitimate user. Tens of thousands of DDoS attacks are registered annually, and the largest known DDoS attacks exceed terabit values. How can clouds help? As you can see, the range of tasks related to the information security of web applications is very wide. Where can IT services get resources and competencies to solve them and can cloud services help in this? From secure clouds to cloud security The colossal volume of innovations in workflow automation implemented over the past decade would not have been possible without cloud services, which have become the infrastructure and platforms for quickly launching and scaling applications. According to Eurostat, 36% of businesses used cloud computing in 2020, mainly for hosting their email systems and storing files in electronic format. 55% of these organizations also used advanced cloud services related to financial and accounting software applications, CRM and ERP systems, or using computing power to run business applications. The potential of cloud services is just beginning to unfold, and while the cost of software development is growing faster than Bitcoin, migration to the cloud will only accelerate. Can clouds be secure and security in the cloud? The main doubts during migration to the cloud are related to the transfer of confidential data and doubts about the security of the cloud itself. According to a recent 2020 Enterprise Cloud Trends Report poll, 45% of IT executives using cloud services prioritize
https://www.briskinfosec.com cyber security projects as their top priority. The share of those who are ready to move protection against cyber attacks to the cloud is still relatively small, but is growing rapidly. The pros outweigh the risks From a security standpoint, for most companies, the cloud today is much more reliable than the enterprise network. Cloud vendors prioritize security and invest enormous resources in defense mechanisms, emerging threat research, and new developments. Cloud security providers are uniquely qualified to respond to incoming threats faster and more efficiently. Therefore, cloud-based security solutions give even small companies the ability to protect themselves with the most advanced tools. Cloud DDoS protection is a good example of efficiency. DDoS traffic filtering solutions deployed at the customer's site are notoriously limited in capacity. It is difficult to repulse a large attack on your own; it is much more effective to fight it with the help of a cloud, which will reflect illegal traffic at distant approaches to the attacked web resource. Distributed platforms Edge Cloud - the next step in the evolution of CDN - allows you to combine acceleration and protection of web resources, processing and filtering requests to the application in the immediate vicinity of users. Another problem that cloud security solves is the high cost of maintaining its own infrastructure (hardware, software, licenses) and maintaining its own Security Operations Center (SOC). By using the cloud, companies can avoid the costs of buying, installing, maintaining, and upgrading hardware and software. Users of the service can also easily scale or change their protection to reflect new types of threats or to solve organizational problems - this is inherent in the capabilities of the cloud platform. Any cyber security system must be accompanied by qualified information security specialists. Their experience, skill and speed of reaction ultimately determine the effectiveness of the defense. These
https://www.briskinfosec.com competencies are not cheap. In addition, cybersecurity is a vast topic, and there is no such expert who would understand each aspect in detail, and it makes sense to recruit and maintain a staff of diverse professionals only for very large businesses. How to choose a cloud provider and make sure its solutions are secure? The simplest recipe is to focus on experience and scale of activity. It is important to make sure that your requirements are typical for him, and the tasks you proposed have been successfully solved many times with other clients. In IT, there is no monopoly on innovation, and this criterion can be met by both universal and niche players. Also it is worth assessing whether your provider is able to invest sufficient funds in the security of the cloud and maintain a high level of expertise in information security.
