According to the latest Verizon Data Breach Investigations Report, cyber-attacks are on the rise. The cat-and-mouse game between hackers and defenders of corporate web applications is continuously evolving. The defenders create better mousetraps? The hackers create better mice. New threats are constantly arising and every company should be focused in keeping their cyber security up to date.
A recent survey conducted on 350 European companies by Lloyd of London found out that 9 out of 10 suffered a significant cyber-attack in the last five years. It is not new news that a single attack could irreparably compromise your company’s reputation and financial situation due to an extremely expensive recovery process. Even worse, recovery is not always possible, especially for small and medium companies. The U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber-attack.
Today, we want to give you 5 simple steps to follow to strengthen your web application security and minimize the risk of being successfully attacked:
Know Your Enemy
Knowledge is power. If you understand the major web application security flaws that are commonly exploited by attackers, you will be able to take the necessary countermeasures to close every vulnerable entry point. The best place we suggest you to start is with the OWASP Top 10 project, whose goal is to raise awareness about application security by identifying some of the most critical risks facing organizations. In the OWASP Top 10 project document, you will find useful information that will help you understand the different vulnerabilities and how to prevent them.
Follow Best Practices
If you are planning to increase the security of your web application yourself, try to use the tools already integrated in the framework you’ve chosen to build your application with. Every framework has many security features that will help you mitigate the major vulnerabilities. Avoid writing your own security code if it is not strictly necessary, and always use well known and vetted code whenever is possible.
Fortify Your Infrastructure
One of the most common mistakes made by many companies is not securing the entire infrastructure the web application is built upon. Remember that a chain is only as strong as its weakest link, and most of those links will be scanned by an attacker. Therefore, a Server Hardening process is necessary to ensure the security of the underlying layer of the web application. Wizlynx group strongly recommends the CIS Benchmarks – a consensus-based, best-practice security configuration guide, both developed and accepted by government, business, industry, and academia.Another way to strengthen your infrastructure is to deploy a Web Application Firewall (WAF) in front of your web application. A WAF protects against both known and unknown threats (Zero Day attacks) and it can greatly increase, but not replace, your security against cyberattacks.
Increase Security Awareness Inside Your Company
One of the greatest threats to information security could come from within your company, and we are not talking about inside attackers, but non-malicious, uninformed employees. They can harm your company by logging into your web application with malware or storing their login information in an unsecured location. Therefore, one way to increase the security of your web application is to carefully instruct the people that will use it. Obviously if the application is available to the public, training the end-user may be a difficult task, but you can (and you should) at least train your web application administrators.One of the best ways to make sure company employees will not make costly errors in regards to information security is to institute company-wide security-awareness training. In this training, all aspects of security should be taken care of, and accessing and using corporate web applications should be one of the topics. A well-designed security-awareness training can help ensure employees have a solid understanding of company security policy, procedure and best practices.
Reevaluate your Web Application Security on a Frequent Basis
As mentioned at the beginning of this article, new threats are constantly arising and new countermeasures must be taken to be protected. For this reason, it’s imperative that your web application undergoes frequent security evaluations to find new vulnerabilities and patch them as soon as possible. A good “rule of thumb” is to reevaluate your application every year.There are many tools that can be used to automate the process of vulnerability discovery, but normally such a delicate subject is handled by professionals. You can buy different services from cyber security companies in order to discover the flaws of your web application such as:
- Penetration Test – Hybrid methodology composed of automated and manual testing in which security professionals try to hack into your application identifying vulnerabilities before cybercriminals do.
- Secure Code Review – The analysis of the source code of your application gives the opportunity to find vulnerabilities that would not be found otherwise. Therefore, this service is complementary with penetration test.
Staying on top of web application security is an ongoing challenge, and as it may be expensive and time consuming, the security measures you will take will never be enough to be 100% bullet proof. But make no mistake, everything that can help your company to survive a cyberattack is worth the effort. Quoting Benjamin Franklin – “By failing to prepare, you’re preparing to fail”.
Wizlynx group has long-lasting experience in developing, protecting and assessing web application. Contact us if you seek advice to increase the security posture of your corporate web apps!
Cyber Security Analyst @ wizlynx group