An average organisation today uses as many as 765 web applications and even though many of such applications are considered mission critical by IT teams, 38 percent of IT professionals have little confidence in knowing where all the applications are in their organisation, a new report from F5 Labs has revealed.
Earlier this year, a survey carried out by Ponemon Institute revealed that over half of IT professionals feared that their applications could have been breached but there was no way to confirm the same as they did not have visibility for their “apps in the wild”. Such lack of visibility could be critical, considering that the compromise of a web application could result in decreased productivity, loss of revenue, or loss of customers.
At the same time, a compromised application could also result in loss of reputation, loss of enterprise data or trade secrets, loss of competitive advantage, regulatory fines or lawsuits, failure of an audit, or security professionals losing their jobs for not being able to prevent a breach.
In order to increase their effectiveness, to increase their productivity, to cut unnecessary losses, and to adhere to strict timelines, hundreds of thousands of organisations are now using hundreds of web applications for various purposes, be it handling business data, storing PII of customers, managing and collaborating documents, maintaining backup and storage, or communications such as email. As such, web applications are now indispensable for the effective functioning of an organisation.
Web applications are far from being secure
However, while they are beneficial in many ways, web applications are also vulnerable to external access and need to be secured at all times to prevent hackers from stealing proprietary or customer data or to disrupt operations. According to F5 Labs, a compromised web application could lead to denial of service, breach of confidential or sensitive information, the loss of personally identifiable information (PII) of customers, consumers, and employees, and application tampering.
According to the firm, cyber criminals are increasingly targeting web applications with SQL injections and other injection attacks to steal customer payment card information. This is such a popular tactic used by criminals that web injections to steal payment card information constituted 70 percent of all data breaches in Q1, with 23 percent of them being SQL injections.
Cyber criminals are also hacking into web applications regularly by either stealing credentials from compromised emails, exploiting access control misconfiguration, carrying out brute-force attacks to crack passwords, and by obtaining passwords through social engineering.
Yet another major reason behind the vulnerability of web applications to cyber threats is the widespread use of SSL/TLS encryption even though such certificates are old and "broken" and are vulnerable to man-in-the-middle attacks. The use of self-signed certificates by 47 percent of organisations also reduces the trustworthiness of their applications.
Organisations woefully unprepared to secure web apps
As per a survey of over 3,135 senior IT professionals he US, UK, Germany, Canada, Brazil, China, and India carried out by Ponemon Institute and incorporated by F5 Labs in their report, while the professionals said they considered 34% of their web applications were mission critical, 38 percent of them said they had “no confidence” in knowing where all the applications were in their organisation.
The knowledge of application infrastructure needs to be optimal considering that IT teams will never be able to secure all of their web applications unless they know how many applications are being used by their organisation or where such apps are located. In reality, less than half of IT professionals know about all their web applications and in the UK, only 32 percent of IT professionals know about them.
"Applications have always been the Achilles’ Heel of organisations. Today, almost every company, organisation or government uses web, mobile and IoT applications to process business-critical data, including PII, financial and health records, and even elections' data. Attackers don’t need to run sophisticated APTs leveraging chained exploitation of 0days to get into internal networks anymore," says Ilia Kolochenko, CEO of web security company High-Tech Bridge.
"Application security strategy should start with holistic and comprehensive application discovery and inventory. You cannot protect what you don’t know. Once you have all your applications identified, try to reduce the external attackable surface as much as practical: remove applications from the Internet if there is no need to access them from the outside, or alternatively add 2FA and strong authentication.
"This will eliminate the vast majority of application risks. For the remaining apps - use continuous security monitoring and testing with agile remediation. Keep in mind that in 2018 application security is a 24/7 process, not a quarterly web app scan in the sake of PCI compliance," he adds.