Qatar National Bank, a recent victim of data breach exposing over 1.4GB of customers' data, including full personal data and credit card information, suspects being compromised via SQL injection vulnerability. Later, the same hacking teamcompromised six more financial intuitions, using vulnerabilities in their websites and web applications. How many more will be hacked this week - is not yet clear.
On Saturday evening Pornhub, one of the largest adult websites, was compromised, and web shell access to it was put up on public sale. This happened just after Pornhub announced a bug bounty program, proving once again numerous pitfalls of bug bounties. In such a hostile climate for web applications, how should CISOs and their security teams respond to the growing threats of insecure web applications?
We can accept, avoid, mitigate or transfer the risks. In this article, we will analyze each of the four approaches to web application risk management.
The above-mentioned data breaches are just the tip of the iceberg, as much more successful attacks remain undetected or unreported. Today, when Advanced Persistent Threats (APT) starts at your website regardless of your company size and location, risk acceptance is no longer an acceptable strategy.
Unfortunately, today almost every company has various websites and web applications integrated into its core business processes. ERPs, CRMs, HRMs and many more vital systems are either web-based or at least provides a web interface. Even if the only web application you have is a static website, attackers will come after it to get your crown jewels. Therefore, risk avoidance is also no longer feasible.
First of all, you need to make a complete inventory of all your web applications. Often, companies get hacked via abandoned subdomains or web applications that nobody maintains anymore. A complete and up to date digital asset inventory is vitally important.
The second step to deal with is attack surface minimization. The easiest and at the same time the most reliable way to reduce attack surface, is to restrict access to your web applications in an appropriate manner. If a web application is designed for internal usage only, make sure it's unavailable from the outside. If some employees still need to access it from home or while traveling, you can whitelist VPN IPs, or add a client SSL certificate and 2FA authentication mechanisms. The less web applications are publicly exposed - the less problems you will experience in the future.
The third recommendation is proper maintenance of all web application software in use. Make sure that you have a continuous monitoring and patch management system in place. When zero-days for most popular web applications appear in public almost every day, you cannot rely on quarter vulnerability scanning anymore. The best approach is to setup a 24/7 automated vulnerability monitoring and complement it with manual or hybrid security testing to detect complicated security flaws that vulnerability scanners cannot.
Sign up for CIO Asia eNewsletters.