Following on from our earlier article on how businesses are attacked here are the five most common reasons why almost any website or web application today can be so easily compromised:
1. Underestimation of risks and threats related to unsecure web applications
Many large companies and international organisations still seriously underestimate the value of their web applications, and have their security as the lowest priority in their risk management. And I am not even speaking about complicated Server-Side Request Forgery (SSRF) or application logic flaws, but at least about proper detection and remediation of Open Web Application Security Project (OWASP) Top Ten vulnerabilities. As we can see from the previous article, companies just don’t realise that a vulnerable website is a perfect vector to start an Advanced Persistent Threat (APT) without spending much money on it.
2. Lack of continuous monitoring
Web technologies are constantly evolving, and what is secure today may become vulnerable tonight. Therefore, a quarterly scan and annual penetration (pen) test to achieve PCI DSS compliance is not enough anymore to stay ahead of hackers. Many companies do not perceive web application security as a continuous process, but rather as a one-time audit, putting their web infrastructure and related back-end at critical risk.
3. Missing or poorly-implemented Secure Software Development Life Cycle (S-SDLC)
In spite of a plethora of guidelines and standards for secure software development in existence, many companies still ignore them due to their high-complexity or the expense of implementation. The situation is even worse in companies where software development teams have existed for years – as any change to well-established [but insecure] procedures will be met with hostility, as nobody wants to spend additional time on software security if they’re not specifically paid to do it.
4. Dominance of business needs over security processes
Data breaches via insecure web applications regularly occur even in companies where S-SDLC is mature and well integrated into a company’s daily business processes. The consequences of financial crisis of 2009 are still here – many companies suffer from sluggish demand and very tough global competition. Often business requires a new feature to be done in few hours on Friday evening to outperform a competitor – of course, we can forget about security when such pressure occurs. Nevertheless, it’s the business who pays the salaries to developers and information security staff, and it’s always the business who has the last word. However, it's also the business who should be ready to take the responsibility for a new data breach and related costs.
5. Ignorance of third-party risks
Many companies start introducing thorough security and compliance guidelines for their third-party suppliers and partners, however they often fail to ensure those guidelines are applied to web application security. As a result, attackers can compromise a website of your long-time supplier, consultant or partner, and instead of hosting malware on your website – they host it on a trusted-partner’s website, achieving the same result at the end.
Jan Schreuder, partner and cybersecurity leader at PwC Switzerland, says: "Recently we've seen many organisations attacked through sophisticated cyber-attacks on their supply chain partners. With global supply chains becoming more and more digital and interconnected, establishing trust in your supply chain is becoming more challenging all the time."
As paying for an anti-smoking patch is much cheaper and less dramatic than spending a six-digit amount on cancer treatment, spending on preventive web application security is much more cost-effective and less painful than paying for APT forensics. Therefore, if you are currently finalising your cybersecurity budget for 2016 – don’t forget about your web application security, and look deeper than just a vulnerability scan.
About the author
Ilia Kolochenko is CEO of information security and computer forensics company High-Tech Bridge. Prior to establishing High-Tech Bridge in 2007, Ilia worked as an IT security expert and manager with various financial institutions in Switzerland, including the World Bank, implementing complex IT security projects.