As organizations move their operations to web and cloud-based environments, where cyber threats are expanding in scale and sophistication, web application security has become a business planning necessity. But it can be challenging – and even daunting – to create a sustainable, economical, and effective web application security plan from scratch without a clear idea of where to start.
What is web application security? In essence, web application security refers to the prevention and mitigation of attacks that target web-facing applications. Common targets are content management systems (such as WordPress), databases, and cloud-based applications, which are generally used to operate highly visible and central elements of websites and online services.
While one of the most commonly targeted attack vectors, web applications rarely receive the attention they deserve. In fact, nearly 50 percent of web applications are vulnerable to unauthorized access, according to a 2018 Positive Technologies report, and medium-level vulnerabilities were discovered in all tested web applications. Even when security solutions are in place, there is a high chance they are misconfigured or insufficiently deployed, which can allow for relatively small vulnerabilities to cause breaches of massive scale.
So how and what to secure? Here we go over three steps that will help you set priorities straight and get started on choosing the most suitable protection for your web-facing applications.
Step 1: Assess the scale – how critical are web applications to your organization?
The first step in any security planning is to understand the size and type of valuable assets. With web applications, it’s important to consider their role in and significance to your business-critical operations.
For example, if your website runs on a content management system and saves visitors’ personal information on a backend database, then the state of your web applications can greatly impact your business. On the contrary, if your website hosts little sensitive information, then you probably won’t need the heftiest security measures to keep your business running. In other words, your security needs are determined by how sensitive your organization is to factors like website downtime and data theft that can directly affect your revenue, brand, and customer satisfaction.
The more those factors weigh into your business’ success, the higher will be your need to deploy security that is optimized for your IT environment and provides agile protection from both common and sophisticated threats.
Step 2: Consider the costs – how valuable are your assets?
Another base rule in security planning: to prevent attacks, hacking into your system must be more costly than the monetary value of your data. This is particularly important since vulnerable web applications are generally low-cost attack targets with high potential returns.
In general, the value of data is determined by factors like intellectual value (does it reveal sensitive details about your products?), resale value (can it be sold for big profit in the black market?), and personal value (do you collect personally identifiable information about your customers?). If your data is valuable, advanced security that intelligently adapts to emerging threats will be necessary to increase the financial burden of hacking.
The allocation of budget and focus is also important in planning web application security. If you have limited resources, you should prioritize the security of web applications with the most significant roles in your business. For example, websites with heavy backend databases will require active protection against SQL injections, in which an attacker inputs malicious code on a vulnerable website, usually a form, to gain access to the backend resources. Here, it would be advisable to look for a WAF that is tested and proven effective against SQL injections.
Step 3: Decide on implementation – what kind of solution meets your needs?
Web application security needs can be most efficiently addressed by deploying a Web Application Firewall (WAF). When choosing a WAF, two key points to consider are: 1. how it can be deployed (on-premise, cloud, hybrid, or service) and 2. how effective is the technology at blocking threats.
Ultimately, any security solution can be rendered ineffective unless properly configured. Hence, it’s essential to choose a WAF that is suitable for the size and environment of your organization. For SMBs, it can be convenient to deploy a Security-as-a-Service (SaaS) solution or a scalable cloud-based solution, whereas financial institutions or larger businesses may opt for non-virtual solutions to meet industry standards and compliance rules for data protection.
In terms of technology, it’s important to choose a solution that in addition to countering known and OWASP Top 10 threats, also provides protection against zero-day and DDoS attacks. With the threat landscape continuously evolving, the key to effective defence lies in intelligent security policies that allow for low false positive rates. Finally, make sure to pick a solution with a user-friendly management console, to support the regular testing and maintenance of your WAF.