The application threat vector is one of the most vulnerable yet least understood. Put simply, web applications are things like webmail, online forms, banking sites, shopping site, etc. These sites support complex user input scenarios and are usually completely exposed to the public. They are sometimes written with insecure code or developed in such a way that there are vulnerabilities inside the code. As such, these applications can be difficult to defend.
The Open Web Application Security Project, or OWASP, is one of the premier organizations focusing on applications and software security today. Every few years, OWASP will publish a list of the top 10 web application security risks worldwide. There is a new list being prepared for 2017, but here is the most recent list, from 2013:
o Broken authentication and session management
o Cross-site scripting (XSS)
o Insecure direct object references
o Security misconfiguration
o Sensitive data exposure
o Missing function level access control
o Cross-site request forgery (CSRF)
o Using components with known vulnerabilities
o Unvalidated redirects and forwards
Even technology professionals have a difficult time understanding these threats. If you're not a developer, you're probably not familiar with what this list really means.
Put simply, externally accessible web sites can be a potential method for accessing your data or penetrating your network. Additionally, attackers who have control of your site could use it to distribute ransomware to their victims, putting your organization's brand and reputation at risk. Your web distribution channel would also be at risk of being blacklisted by the security community.
There are two complementary methods for protecting your web properties from being exploited. The first is good software development practices like those referenced in this OWASP document (pdf). The other is the deployment and secure configuration of a Web Application Firewall. Professional developers strive to write fully secure code, but we know from experience that even the most skilled and careful professionals can make mistakes. The additional layer of protection afforded by modern WAF technology can prevent the attacker from exploiting your internet presence for their nefarious purposes.
In our next post, we'll talk about what to do when your defenses fail and ransomware infects your network.
If you’d like to know more about defending yourself from ransomware and other threats, visit these resources:
To view all posts in this series, click here.