Almost 3 terabytes of data stolen in the Panama Gate scandal will shortly become searchable online. Mossack Fonseca, the breached legal firm behind one of the largest data leaks in the history, had numerous high-risk vulnerabilities in its front-end web applications, including its Client Information Portal. Actually, few hacking groups would spend money on expensive zero-days and complicated APTs, when the information can be easily stolen via insecure web applications. Moreover, even if your corporate website doesn't contain a single byte of sensitive data, it's still a perfect foothold to get into your corporate network.
Today many people, including cybersecurity professionals, underestimate the importance of web application security, focusing their attention rather on APT detection, enterprise immune systems and other activities applicable when it's already "too late" to react to prevent the breach. A common-sense approach suggests that before installing expensive anti-burglar equipment and alarm in a house, the owner should first close the doors and the windows and probably build a fence around, otherwise you're throwing money down the drain. Let's have a look at five most common myths that exist today about web application security, leading to sensational data breaches, huge financial loses and CISO dismissals:
Protection of corporate crown jewels is more important than web apps
No, you cannot secure one part of your network and ignore another one. Information security shall be comprehensive and holistic: you shall analyze all threats, vulnerabilities and thus attack vectors in their integrity. Today, no cybercriminals will try to steal your crown jewels directly wherever they are [securely] stored.
Breaking in via your web applications in pair with spear phishing will probably be one of the cheapest, reliable and silent ways to get into your corporate network and bypass your defense-in-depth. When you perform a risk assessment - think like a professional cybercriminal - keep the costs and time spent [on the attack] as low as possible. When you are mapping attack vectors and vulnerabilities - the more external people that can join your brainstorming session, including law enforcement agencies and victims of data breaches from your industry - the better.
My web applications are secure - I am PCI compliant
No, even if you have successfully passed your last PCI DSS compliance audit, it cannever replace a holistic risk assessment and common-sense approach to security. Even with PCI DSS 3.2 that now requires to have a multi-factor authentication to access the Cardholder Data Environment (CDE), it does not mean that only the web applications within the CDE scope shall be properly protected. A vulnerable subdomain, spear-phishing and a $10,000 exploit-pack can lead to compromise of your technical team machines, opening any doors inside your company network, including the CDE scope (if victim's machine is backdoored, even 2FA can be easily intercepted and compromised).
Sign up for CIO Asia eNewsletters.