by Joe Stangarone, writer, MRC’s Cup of Joe Blog, April 19, 2016
Summary: As security breaches rise, enterprise web application security is an increasingly important topic. You must stay ahead of evolving security trends in order to keep your data and applications safe. How will web application security evolve in the coming year? What web application security threats can we expect in the near future? In this article, we explore web application security trends of the near future and explain why they’re important.
Security breaches are on the rise. Sensitive data gets compromised on a seemingly daily basis. These breaches create negative publicity, and lead to huge financial losses.
Can you guess which aspect of your business systems hackers target the most? As mentioned in this article: “According to numerous studies, the preferred method for attacking businesses’ online assets is via their Web applications.” What’s worse, a recent report found that over half of all web applications suffer from commonly known vulnerabilities.
As more data moves to the web, and businesses create more web applications, this threat is only increasing. How can you protect your business applications?
The first step: Recognize the risks, and stay ahead of the curve. Understand where web application security is now, and where it’s heading. Do you know what application security threats we can expect in the near future? Do you know how web application security evolving?
Today, let’s answer these questions. While the list could certainly be longer, here are 5 important trends in web application security to watch for in the near future.
1. Increased application demand leads to vulnerable applications
In a recent article, we examined an unsettling fact: Most business applications still suffer from commonly-known security flaws. We’re not talking about new vulnerabilities. We’re talking about commonly recognized–and easily fixable–security flaws that businesses have known about for over a decade.
What’s more, these threats can create irreparable damage to a business.
Why? We explored a few reasons in the article mentioned above, but there’s one overriding issue. There’s an increasing demand for new business applications–a trend that will only grow. More and more, the demand outpaces the organization’s ability to create them.
As a result, we’re seeing two things happen. First, we have an increased number of new developers, rushing to meet project deadlines. In the struggle to meet these deadlines, security suffers.
Second, we have more development outsourced. As explained below, this becomes a problem when the outsourcing firm doesn’t understand the organization’s security needs.
2. Unsanctioned cloud apps create a larger security risk
Another problem created by the growing application demand: Shadow IT. Now, this isn’t a new trend, but it is on the rise. As its growth continues, we can expect it to greatly impact security.
What’s happening? End users are bypassing the IT department in favor of third-party, cloud-based solutions. Rather than waiting around for a solution from IT, they can now pull out a credit card and get up and running that day.
While this sounds great from a business user perspective, it creates a problem. This practice takes company data outside of the IT department’s control. When employees purchase and use third-party solutions, IT cannot manage and secure the data. Worse yet, they cannot evaluate the solution’s security.
What can you do about it? We won’t get into all the details here, as we covered a few ways to address Shadow IT in a previous article. But, do not ignore the problem. As explained below, it’s running rampant, and will continue to grow worse.
3. Stolen credential attacks rise
As people place more and more of their information online, stolen credential attacks are on the rise. Why is this so important? Stolen credential attacks can completely nullify all of your security efforts.
How so? As you know, many users have awful security habits. They reuse their login credentials across many sites. So, if a hacker gets a hold of one of your user’s credentials for one site, chances are good that they can access other applications as well.
“For many years, attackers have employed tricks such as cross-site scripting (XSS) and SQL injection (SQLI) to attack web sites,” says Mark Huss, senior consultant at SystemExperts. “Although these still are in regular use, the landscape is changing; stolen credentials now account for over half of all web attacks. This is an understandable progression – why fight to come up with a clever injection attack when credentials and credit card information are available in mass quantity, and cheaply? In addition, web browsers are getting better at defending against scripting attacks, and long-time targets such as Adobe Flash are falling out of favor.”
4. Two-factor authentication becomes a must in the enterprise
One way to fight the stolen credential attack: Set up two-factor authentication on your business applications. What is it? I’ll briefly explain the concept here, but you can read more about two-factor authentication in this article.
In short, it adds a second level of security to an account login. Rather than identifying a user with a single factor (username/password), it adds a second identification factor to the login process–usually a pin number delivered via sms to the user’s mobile device. It’s designed to maintain security, even if a user’s login credentials are compromised.
Now, two-factor authentication is not a new trend. It’s already used in popular web services like Gmail, Twitter, Linkedin, etc… However, it’s sparsely used in the business world. But, with the rise of security breaches, two-factor authentication is quickly becoming a must-have in the business world.
5. The security skills gap drives the growth of third-party tools
Businesses often approach security with a false assumption. They assume that their developers understand security, and will build it into their applications.
Now, that’s true to an extent. A developer will understand the security basics. But, you can’t assume your developers are security experts. Their job centers around developing applications – often with a tight deadline.
Can they possibly compete with hackers who spend their days trying to attack web applications? Of course not.
The fact is, we’re facing a security skills gap. Most companies do not have the personnel in-house to create truly secure applications. As security breaches increase, we’ll see more and more businesses turn to third party tools to bridge this gap.
These are just 5 trends in web application security, but the list could certainly be much longer. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.
Founded in 1994, SystemExperts is a premier boutique provider of IT compliance and cyber security consulting services. We help clients see the big picture and design solutions to meet their comprehensive security needs. We are dedicated to providing unmatched personal attention, distilling problems to their root causes and recommending what’s appropriate for our clients. We have built our reputation on providing practical, effective IT security solutions for securing enterprise computing infrastructures.