Web apps, a leading cause of security breaches
Web applications are the leading cause of security incidents for financial services, according to the 2016 Verizon Data Breach Investigation Report; this is up from 31% from last year's report.
Verizon describes Web app attacks as any incident in which a Web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application, as well as thwarting authentication mechanisms.
Key findings of the 2016 DBIR highlighted the information and retail sectors as top industries, alongside financial services, under attack.
The report also revealed that "the breaches within this pattern are heavily influenced by information gathered by contributors involved in the Dridex botnet takedown. Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers, dominate the actions. Defacements are still commonplace and CMS plugins are also a fruitful attack point."
"This is why Web application security matters," says Anton Jacobsz, MD at Networks Unlimited, a South African value-added distributor of converged technology, data centre, networking, and security technology solutions, operating throughout Africa. "Victim demographics range far and wide, and when it comes to having your data compromised, no country, industry or business is bulletproof."
F5 turns up the OpenStack heat
Lori MacVittie, a subject matter expert on cloud computing, cloud and application security, DevOps and application delivery at F5 Networks, a Networks Unlimited partner company, adds: "The application is, by its purpose, a public-facing resource. We put it out there and expect – nay, we encourage, we entice, we beg – consumers to interact with it. To use it. To install it. To visit it often. It is an application world, and that means applications are critical to every aspect of business, whether that's customer facing, employee-facing or internal systems running. We rely on applications for just about everything we do these days, and yet when we mention security, we never seem to remember it. It's really about time we start paying more attention to application security, and not just data security or network security or encrypted communications."
She explains that data is most vulnerable when it is in process in the application. That is because at that point it is in plain text, and completely under the control of that application. The application can display it, modify it, and deliver it to whomever (or increasingly whatever, given the rise of bots and spiders and malware) can coax it out.
"That means we need to pay more attention to securing applications against exploitation and attack. From the platform (the Web or app server) to the protocols (TCP and HTTP) to the actual code itself," MacVittie continues. "We need to scan and scrub and discover and defend against the myriad methods used by attacks to exploit the entire application stack."
Web application attacks are on the rise and have been for a while. The attacks doubled in frequency, from under 20% in 2012 to 40% in 2013, according to F-Secure Labs, and Neustar found in 2014 that 55% of DDOS targets experienced smoke-screening (volumetric DDOS as a cover for the real, application layer attacks) with nearly 50% having malware/virus installed and 26% losing customer data.
"Application attacks are a real and significant threat, especially as they migrate to the cloud where fewer options for protecting them may be available," MacVittie points out. "The native services available in the cloud focused on security are all about access and encryption. None of them are ‘application layer' security and none provide the coverage necessary to inspire confidence in withstanding an attack designed to disable, corrupt or exfiltrate data by exploiting the application itself. That means you need another solution, another service designed to protect applications and the data it is responsible for handling in the cloud, just as you do in the data centre."
She advises that it may mean a cloud-enabled Web application firewall (WAF) or WAF as a service, or at a minimum, a thorough application of the best practices recommended by OWASP on every application deployed in the cloud.
"Cloud security may be viewed as a shared responsibility, with the provider and the customer taking on the chore of different aspects of securing ‘the cloud', but application security is 110% the responsibility of the one who puts that application in the cloud in the first place. That's you, and that means you need to consider carefully what services and solutions you're deploying to protect that application from what inevitably looks like the attack that's going to come your way," concludes MacVittie. "Application security isn't like an expensive bodyguard. It's not something that only the VIP apps get. It's more like personal security, and it's something every application that presents itself in public should have. And that's true whether those apps are in the data centre or in the cloud."