With this year’s attacks on Colonial Pipeline and Kaseya, ransomware and its impact on infrastructure have come to the forefront of US political consciousness. These cyber attacks have harmed the public, prompting a response from the White House.
The response has been followed more recently by memoranda from NIST and the Office of Management and Budget (OMB) clarifying definitions, procedures and timelines for the national security effort. Cybersecurity teams should not confuse monitoring this plan with full protection against risk; there is a significant threat that is not addressed by the government’s response.
Here’s why: The OMB is directing government organizations to focus on stand-alone systems connected to critical infrastructure or sensitive information, but neglects one key area: web applications that the private sector has relied on to run its business for years. Web applications are often deeply integrated and widely accessible within enterprises, challenging the well-defined security boundaries of stand-alone systems targeted by the OMB. Neglecting the security of web applications therefore overlooks an important area of cyber risk for businesses.
Forrester concludes that web applications are the most widely used attack vector for breaches, but breaches generally do not come from new attacks. Data breaches typically stem from well-understood vulnerabilities (and corresponding exploits) that organizations have failed to address. Some violations are the result of simple accidents or negligence, such as exposed databases. So it is clear that in addition to securing the systems specified by the OMB, companies need to secure their web applications and web assets through comprehensive discovery and continuous vulnerability scanning.
Organizations need to discover every web application they use
Medium to large businesses can have hundreds of web applications and web assets in production. Since something as simple as an unpatched mail server or an exposed database can lead to significant data breaches or loss of systems control, businesses need to secure all of their web applications. But with increasingly limited development and security resources, what should a business prioritize?
The first step is to determine what applications exist. For organizations, this means discovering all web assets, including those that may have been lost, forgotten or unofficially deployed by citizen developers. Once an organization identifies each exposed web application, it can assess each of them to determine the security risk represented by each application and prioritize remediation plans accordingly.
Businesses can discover their web applications and assets through two types of analytics:
- Explore the web space to discover publicly exposed web resources associated with corporate domains; and
- Analysis of web applications, web services, and web APIs, including proprietary, open source, and third party code.
Together, these analyzes provide a basis on which security professionals can assess risk and develop remediation plans.
Move security to the left
By shifting security to the left, organizations can detect vulnerabilities at the earliest possible stage in the software development lifecycle before applications reach production. Detecting vulnerabilities as early as possible can avoid production delays, costly redevelopment cycles, and can contribute to a necessary shift towards secure coding practices.
The pressure to innovate can counteract the pressure to maintain security. A May 2021 study conducted by Osterman Research showed that 89% of developers knowingly released insecure code at least some of the time. Third-party components, increasingly used by developers, can also introduce vulnerabilities. According to a recent report from Synopsys, up to 91% of modern software contains open source components and 75% of code bases contain at least one open source vulnerability. Some of these vulnerabilities are simply software flaws, while others can be Trojans planted by hackers.
Security professionals should analyze code and components during development to find vulnerabilities early. This includes not only the code, but also the system configurations, versions and patch levels of technologies, frameworks and libraries associated with the software. Once detected and quantified, vulnerability data can be combined with the list of applications and assets discovered to create a priority list for remediation.
Shift safety to the right
In recent years, companies have invested heavily in the evolution of security, but the proportion of breaches to the number of websites has remained constant over the past decade. Part of the reason is that not all web applications and assets used in a business go through their internal development pipelines. To increase shift left strategies, companies also need to analyze their web applications and web assets where the rubber meets the road: in production.
Penetration testing services, along with various application security test scanners such as SAST, DAST, and IAST, enable security professionals to analyze applications in production and test for vulnerabilities from a business perspective. an outside attacker. Some even combine their scan with an internal software agent, allowing the scanner to test unrelated or hidden pages and files. As scanners crawl through web application pages and resources, they can test a wide range of vulnerabilities such as SQL injection and cross-site scripting (XSS).
Scan apps continuously
The White House recommends testing the security of a system with penetration testing. With the speed at which web applications evolve in DevOps environments and the ease with which an integrated third-party application can be run, a penetration test report can become out of date within hours of its completion. Companies need to define a policy to continuously analyze all their applications in development, QA and production, to keep abreast of changes in their attack surface and to implement security hardening in a timely manner. .
This is just the beginning
The security efforts led by the White House are an important step towards securing infrastructure and sensitive data nationwide, but we must remember that this is only the start of a long road.
Companies that follow government guidelines to the letter without considering other angles of attack will find themselves vulnerable to increasingly sophisticated attacks from criminals and state-sponsored hackers. To fully maximize security and minimize risk, businesses need to go beyond national guidelines to understand their risks and constantly work to stay ahead of their adversaries.