Get the insights and action you need to improve your security postureRead more
Web-based attacks aren’t new and have been frequently observed for some years. However, we’ve seen an alarming spike in recent cyberattacks in this area. In fact, they doubled year-on-year, (accounting for 32% of all attacks detected during 2018), and represented the top type of hostile activity. These findings were recently unveiled in Dimension Data’s Executive Guide to the NTT Security 2019 Global Threat Intelligence Report.
Figure 1: Global hostile activity
The role of information technologies is changing dramatically. It’s fast moving away from simply being a back-office process automation function to one that deploys applications ─ the primary way through which an enterprise conducts its business.
Web-based attacks target web-application and application-specific vulnerabilities in technologies frequently used by many businesses.
Any organisation that has a web presence is exposed to these attacks ─ and the larger their web presence, the greater the attack surface. Compounding the challenge is that today, more companies’ applications are being housed in the cloud. This not only exposes the organisation to new attack types but also means that a host of new user devices ─ which are designed to access those applications from anywhere in the world, at any time ─ are also now under the threat of compromise.
Added to this is the challenge of securing DevOps. Today, in response to increasing customer demands, business leaders are putting IT under pressure to publish applications faster. This is because they want to be first-to-market with innovative products and services to secure and enhance their competitive advantage.
Modern applications require more frequent code changes, as you deploy new functions. So, gone are the days when IT teams would develop an application over a 6─12-month period, knowing that they had sufficient time to build and test prototypes before delivering the finished product. Now, the timeframe may be compressed down to weeks, days, or even hours.
But, if security isn’t integrated into this process, organisations run the risk of exposing themselves to a new array of vulnerabilities that may have been introduced during the development lifecycle.
This is where the concept of ‘DevSecOps’ comes in, i.e.: secure software ─ sooner.
Security teams need to be involved from the time the development of a new application begins, through to testing and run time. This requires the following:
This way, you can identify and fix application vulnerabilities faster (and reduce or eliminate the cost to the business associated with remediating vulnerabilities or issuing patches that may need to be deployed at a later stage, after the application’s been published).
Successful DevSecOps involves everyone understanding that applications aren’t just about technology. It also calls for a cultural change and the need for:
WhiteHat Security recently conducted research1 on this topic. Their Report included some interesting findings regarding microservices-based architectures. As data and applications increasingly move to the cloud, it’s important to start considering microservices-based architectures. These allow applications to run seamlessly across on-premise and various cloud environments. However, WhiteHat Security discovered that if you migrate to this kind of architecture, the number of vulnerabilities per line of code actually increases. Their Report states: ‘Microservices are riddled with vulnerabilities … that said, they do have a higher remediation rate and shorter time to fix than monolithic apps.’
To me, this suggests that security isn’t yet fully part of the DevOps model – partly due to a lack of understanding and/or implementation of DevSecOps practices.
Web applications are the ‘gateway’ into other systems and parts of an organisation’s infrastructure. They’re usually connected to databases which store sensitive data or intellectual property. So, by compromising the web application, attackers can access these databases, if they’re not adequately secured, and exfiltrate large amounts of data.
The primary motivation behind web attacks is profit, i.e. by selling stolen data to other cybercriminals or criminal agencies.
But it’s also about access. By gaining access to other infrastructure (using the web application as a ‘gateway’), threat actors can infiltrate the wider organisation to conduct other types of malicious activity.
Finally, there’s influence – here, an attacker will look for opportunities to disrupt the business’ operations. This is often related to hacktivism (e.g. defacing a website) to promote a political agenda or movement for social change. In other cases, the attacker will blackmail the target in an attempt to extort funds.
Interestingly, vulnerabilities in older software are targeted most frequently in web-based attacks. To cybercriminals, these represent the ‘low-hanging fruit’, as they’ve remained unpatched for some time. So, businesses need to examine their overall window of exposure and determine how long certain vulnerabilities have been in existence and how long it will take to remediate or patch them.
However, attackers are very much on the front foot in this respect, as they often incorporate web scanners and reconnaissance capabilities into their toolsets. These allow them to identify an organisation’s software and their version numbers … and then they’ll automate the exploitation of selected vulnerabilities. Some of these toolsets are available at no cost on open source forums and the dark web.
There are several reasons for the high success rate of web-based attacks. These include the fact that:
All of the above encapsulate the features and the ultimate goal of DevSecOps. Success lies in integrating all your security toolsets into the application development pipeline, ensuring that security is part of the end-to-end process, and giving developers an understanding of security principles so that they can detect vulnerabilities early on and patch them rapidly, which will reduce the cost to the business.
1 WhiteHat Security 2018 Application Security Statistics Report, Volume 13: The Evolution of the Secure Software Lifecycle