The Web App Security Puzzle

Web apps have become the security industry’s Achilles heel. In fact, vulnerabilities in web apps are now one of the most common network threats, accounting for 55 percent of all server vulnerability disclosures – not including vulnerabilities in custom-developed apps, which could be much higher.

With web app security in place, the goal is to prevent an attacker from gaining control of an app and obtaining easy access to the server, database and other back-end IT resources. However, as hackers find new ways to exploit web apps, it’s important for the security industry to outmaneuver them by quickly finding and fixing the vulnerabilities – before an incident occurs.

A hacker’s attraction to web apps

The simple architecture of web apps – including connectivity and hosting via browser-controlled environments – has made it possible for organizations and individuals to easily adopt them to transact business, conduct research, store information and collaborate online. Likewise, for IT teams, web apps can dramatically reduce resource requirements for endpoint devices, as the bulk of processing occurs on servers located at remote sites.

Yet, the simplicity driving the adoption of web apps is oftentimes the same reason why hackers are inclined to attack them. Part of the equation is that the ability to quickly spin up a web app has contributed to an increased number of vulnerabilities, as testing and quality assurance can often be an afterthought.

The other part of it is that web apps are usually connected to valuable data, including databases containing banking information and consumers’ personal identity data. Moreover, once a web app is compromised, an attacker can use that data to reap bigger rewards on the black market or in phishing scams to attack larger networks.

 Protecting data with integrated data

 The good news is that the most prevalent web app vulnerabilities can be easily detected with an automated scanner. Automated web app scanning enables IT teams to: discover and catalog all web apps within an organization, lower the total cost of operations by automating repeatable testing processes, ensure accuracy by effectively reducing false positives, and identify vulnerabilities early.

But what should you do when you detect a web app vulnerability? And how should you react to actual vulnerabilities and potential exploits?

That’s where web application firewalls (WAFs) have become a critical piece of the web app security puzzle. WAFs are capable of detecting, alerting and blocking known attacks on web apps. However, traditional WAFs are often thought to be too complex to set up and too difficult to manage.

Another piece of good news is that WAFs are evolving and those coming onto the market are providing more simplicity, flexibility and automation than ever before to protect the data and IT resources behind web apps. The industry is now seeing WAFs capable of automatically integrating scanning data to take on the mitigation of vulnerabilities.

Particularly advanced WAFs also have virtual patching capabilities, enabling IT teams to fine tune security policies, remove false positives and customize rules leveraging vulnerability data from automated scanners. This data provides insight into common web app vulnerabilities, like those outlined by the OWASP Top 10, as well critical zero-day exploits where customized patches are not readily available.

Overall, the skeleton key for achieving the best security posture lies within data – whether it be as broad as threat data shared within the industry, or as narrow as automated vulnerability data shared between a web application scanner and a web application firewall. For the latter, finding a WAF that leverages and integrates data automatically will put you ahead of the curve for web app security.