Strengthening web and mobile applications



Internet connectivity has become the cornerstone of the business. During the Covid-19 pandemic, this connectivity allowed many organizations to remain operational, even when their physical offices were closed due to the lockdown measures. Web storefronts have benefited from the rise of e-commerce and organizations have accelerated digital transformation initiatives to make business processes transparent.

Organizations with highly integrated web and mobile apps have weathered the economic upheavals caused by the pandemic better than those with less sophisticated online presence. But web applications are an easy target for malicious actors to break into corporate networks, steal data, and inject ransomware.

A recent survey of global security decision makers conducted by analyst firm Forrester indicates that web applications are the most common vectors used by attackers to target computer systems. Improving application security capabilities and services over the next 12 months is the top priority for 28% of global security decision makers, according to the study.

Organizations need to protect internal applications, web applications, and external application programming interfaces (APIs) that connect internal applications to the outside world. They must prevent these external interfaces and web front-ends from being compromised, and if an attack is successful, a business continuity policy must be in place to determine the level of downtime acceptable to the business.

Secure coding

Too many websites require users to register a username and password. As security professionals urge people to use different passwords – and web browsers automatically generate and store a strong password – many people opt for passwords that are easy to remember. Often times, they will use the same password to authenticate on multiple websites. As such, the user’s password is not only easy to crack, but a hacker can also try to use the same password to target other sites.

The OAuth API is one of the approaches available for websites that want to offer authentication without requiring users to set up a new password. It uses primary authentication from Facebook and Google, but the cost of that convenience is that Google and Facebook will share some of the user’s information with the organization that manages the website.

The Open Web Application Security Project (OWasp) has created a set of guidelines as part of its application security auditing standard. In its recommendations, OWasp advocates using the latest secure user authentication methods, such as multi-factor authentication (MFA), biometrics, or one-time passwords. Other recommendations include strong encryption to prevent data loss, access controls, and the disinfection and validation of user-generated content, such as data the user is expected to enter into an input box on a web or mobile application.

The standard states that web and mobile application developers must implement input validation checks. According to OWasp, 90% of all injection attacks occur because an application does not correctly verify the input data. Version 4.0.2 of the Application Security Checking Standard states, “Length and range checks can further reduce this problem.” The integration of secure input validation is required during application architecture design sprints, coding, and unit and integration tests.

This is because application developers must write code in a way that prevents malicious input data from being used as an attack vector. In an injection-type attack, carefully crafted data is used to cause an error that causes the application to run the data like another program. Such an attack can be avoided if the programmer writes the software to handle the input data in a way that verifies what data he expects. For example, if it expects a number, it should reject anything that doesn’t make sense. Likewise, addresses and dates of birth have standard formats, which can be verified.

One of the many challenges programmers face when trying to write secure code that prevents injection or buffer overflow attacks is the fact that modern software development is very heterogeneous. “If you really want to stop them, you have to make it impossible to write a buffer overflow or an injection attack,” says Owen Wright, general manager of insurance at Accenture.

But, while most software was hand-coded, Wright says modern software development methods rely heavily on third-party frameworks, libraries, and integration with cloud services. Those provided by large commercial vendors may have large teams dedicated to secure coding, he says, but “some well-used open source libraries are only maintained by one or two people. [and] everyone relies on them and assumes [they are] well maintained “.

Beyond coding, Wright notes that organizations are starting to take a “left” approach to computer security, where developers take more responsibility for producing secure code. “Developers aren’t trained with a security mindset – they’re developers first,” he says. “Organizations should focus more on security awareness. “

But there is a constant tension between speed, cost and quality. Wright believes that moving to a DevSecOps model for software projects encourages developers to fix problematic code sooner than they would if they relied on penetration testing once the request was submitted. This is one of the principles of transferring the responsibility for secure coding to the developer.

In Wright’s experience, this costs much less than fixing security errors later in the software development lifecycle. He suggests organizations create templates to secure applications that can then be deployed on subsequent projects.

Protect web applications

Application layer attacks, also known as Layer 7 or L7 attacks, attempt to overload servers by continuously sending legitimate HTTP requests.

According to meinternet infrastructure giant Cloudflare, the underlying efficiency of most distributed denial of service (DDoS) attacks comes from the disparity between the amount of resources needed to launch an attack versus the amount of resources needed to absorb or mitigate one. He says an application layer attack creates more damage with less total bandwidth.

For example, if a user wants to access a web service, such as Gmail, or perform a web transaction on an e-commerce site, the server receives a request from the client software running on the user’s browser or device and must then make a database query or call an API to fulfill the user’s request.

Cloudflare notes that a denial of service attack takes advantage of the fact that there may be a disparity in the server’s ability to accomplish this task when many devices target a single web property. “The effect can overwhelm the targeted server. In many cases, it is enough to target an API with a Layer 7 attack to take the service offline, ”he warns in an article on application-level security.

Gartner Magic Quadrant for Web Application Firewalls The report, released in October 2020, predicts that by 2023, more than 30% of web applications and APIs intended for the public will be protected by web application and API protection (WAAP) services in the cloud. By 2024, Gartner expects that most organizations implementing multicloud strategies for production web applications will only use WAAP cloud services.

Public cloud WAF

Gartner Magic Quadrant for Web Application Firewalls report names Akamai and Imperva as “leaders” in web application firewalls (WAFs).

Cloudflare, Fortinet, F5 and Barracuda make up Gartner’s “challenger” quadrant. Along with the two leaders, these companies tend to be on the shortlist when IT decision makers consider their options in the WAF market.

DDoS protection service provider Radware and startup WAF Signal Sciences form Gartner’s “visionary” quadrant, recognizing the innovative use of technology in their product offerings. Gartner notes that Radware uses machine learning in its web application firewall to combat threats, while Signal Sciences is focused on securing cloud native applications.

Public cloud providers also offer web application firewall functionality as part of their platforms. However, Microsoft Azure and Amazon Web Services (AWS) are considered “niche” players by Gartner.

For example, the Magic Quadrant report notes that AWS WAF provides basic bot protection through the managed rule set and infrastructure protection capability provided by AWS. However, the report authors caution that AWS WAF lacks many advanced application-specific bot protection features found in competing products, such as device fingerprinting, user behavior detection, and JavaScript challenges.

Looking at Microsoft’s offering, Gartner says Azure WAF is available in more Azure regions. The report highlights Microsoft’s work to integrate Azure WAF with other Azure services. As an example, Gartner notes that Azure WAF now integrates natively with Azure Kubernetes Service ingress controller for microservice protection, can send events to Microsoft’s Azure Sentinel for integrated monitoring, and makes better use of it. Microsoft’s technical infrastructure to block known bots.

The Gartner report also mentions new features in Google’s Cloud Armor WAF and DDoS mitigation service, which is available on Google Cloud Platform (GCP). The authors of the report claim that Google has added “useful features” such as IP checklists and geo-IP filtering, pre-defined rules for cross-site scripting (XSS) and SQL injection blocking (SQLi) and creating custom rules. According to Gartner, Google is showing signs of willingness to expand its capabilities.


Leave A Reply

Your email address will not be published.