Cybersecurity Challenges to Enhance Web Security for Enterprises

Billy Spears, SVP, Chief Information Security Officer, loanDepot

Billy Spears, SVP, Chief Information Security Officer, loanDepot

Wowza! Another massive data breach affecting more than 100 million people across the United States due to an improperly configured Web Application Firewall (WAF).

The exposed data contained information submitted by the customers and small businesses in their applications for Capital One credit cards from 2005 to early 2019. The information included addresses, dates of birth, and self-reported income. This breach compromised approximately 140,000 Social Security numbers and 80,000 bank account numbers, as well as some customers’ credit scores and transaction data.

You may be thinking, ‘Who would do something like this?’ What does a hacker look like? We have seen these characters played on the big screen for decades. Movies like War Games, Blackhat, the Matrix, Tron, and Untraceable have created this euphoria around a faceless human with super abilities to bypass electronic controls and steal our most personal details.

In the example outlined above, a former AWS employee was arrested and indicted with fraud and identity theft charges after she documented her hacking journey on slack for the world to read.

Shouldn’t companies be able to prevent these types of risks? That is a great question and a perfect transition into why web security is so important. Have you ever tried to communicate a web security risk to someone? You mention web security, and they hear, ‘ejbebvo’ Hung’. If you are a fan of ‘Star Wars’ then you are aware that is the Klingon translation for web security.

Ok for everyone else, what exactly is web security? Web security is a form of application security that is specific to the security of websites, web applications, and web services. Web applications are constantly at risk from various threats such as cross-site scripting, insecure direct object references, security misconfiguration, injection flaws, broken authentication and session management, insufficient transport layer protection, and more. I know that some of you who are reading this still are sensing a bit of Klingon. 

"It is imperative to prioritize investment strategies implementing basic levels of precautionary measures to improve web application security"

Applications are hosted on servers available via the Internet or other networks and may have internal, connection-based, or other risks associated with the server operating systems. (A really cool guide containing the most serious risks is maintained by the Open Web Application Security Project (OWASP) and can be found on their website).

Web security needs to become a critical consideration for all businesses, big or small, because that website represents your company brand. It is a virtual retail shopping channel that is frequently the initial connection point with customers. If you are browsing through this article and think your industry is immune, then please understand that hacking your website is not an event that only occurs on the big screen as part of a Hollywood script. Your website contains very real security vulnerabilities that may be exploitable by nefarious actors causing critical operational implications to your business.

According to several global threat reports, including the European Union Agency for Network and Information Security (ENISA) Threat Landscape Report and the Verizon Data Breach Investigations Report web application attacks are in the top three attack patters in every vertical sector. Veracode’s State of the Software Security (SOSS) 2019 found that more than 13 percent of all applications have at least one critical severity flaw and more than 85 percent have at least one vulnerability in them. Did you know that one in four high and very high severity flaws aren’t addressed within 290 days of discovery?

With all this risk, why don’t businesses just improve their web security posture? Maybe there is a fundamental lack of understanding, awareness, or urgency to address these risks. After all most development teams are primarily focused on the users interface or experience (UI/UX) right? Why should developers spend time building security into their code? Most small and medium businesses believe they are too small to be hacked and would rather deliver features to the market rather than ensure this code is thoroughly tested for security resilience.

This perception provides a false sense of assurance and often leads to a disastrous result. Are you aware that most hackers use automated technologies to discover vulnerabilities in websites and web-facing applications? As a business owner, you’re not thinking about protecting your security posture using defense in depth or layered principle strategies. You would traditionally be thinking about sales, revenue, and market share. It is imperative to prioritize investment strategies implementing basic levels of precautionary measures to improve web application security supporting business growth.

For anyone that doesn’t know where to begin I have put together a list of minimum requirements to include in your web application security program:

1. Develop a web application security policy for your organization.

2. Web software applications should be developed according to the Open Web Application Security Project (OWASP)secure coding guidelines.

a. Validate all data received via the HTTP Request and on the data on the server-side.
b. Pass session IDs and cookies via SSL (HTTPS).
c. Vulnerability testing should be performed before moving the application to production or whenever there are changes to the application.

•  Incorporate automated vulnerability testing into existing application development processes while using multiple types of testing. Some examples include:

Static Code Analysis: The analysis of software that is performed in a non-runtime environment. Typically, a static analysis tool will inspect program code for all possible run-time behaviors and seek out coding flaws, back doors, and potentially malicious code.

Dynamic Analysis: Testing and evaluation of web applications by executing data in a fully operational environment to check for known security vulnerabilities. The objective is finding errors in the application while it is running, rather than by repeatedly examining the code offline.

Software Composition Analysis (SCA): Allows you to identify third-party and open source components that have been integrated into all your applications. It informs you about the licenses for each of them and identifies out-of-date libraries that should be upgraded or patched

• Manual Penetration Testing: A manual analysis method requiring a human to test specific application vulnerabilities within the given domains.

Log security flaws into a tracking system and actively work with development teams to remediate by priority.

Always report results. A simple way of ensuring accountability is to communicate gaps. Be consistent and stay positive.