Ask the following four questions to help reduce cyber risk in your public-facing assets and web apps.
The constant drum of cyberattacks on your public-facing assets and web apps is not going to stop anytime soon: according to the 2020 Verizon Data Breach Investigation Report (DBIR), 43% of data breaches involved attacks on web apps. From new automated attack tools to well-funded sophisticated black hat hackers targeting specific security holes, it's now easier than ever for bad actors to test your defenses.
Securing your web apps comes down to you and your understanding of the weaknesses that an attacker might find and leverage in your network. Once you have this understanding, you can then proactively apply relevant patches, code fixes and/or compensating controls to mitigate against threats.
Each of the following questions offers different lenses through which to view the security risk presented by your public-facing assets and web apps.
1. What is my organization’s risk for public-facing assets?
Firstly, let’s look at how you would assess the risk of a public-facing asset. In an ideal situation, you would want to expose as few assets as possible to the outside world. You can leverage a public risk scan to validate that you are restricting public visibility as much as possible. Another advantage of the scan is that it will also test the compensating controls on your network to make sure they are operational.
Unfortunately, even the simplest information exposed to the outside world, like the version of your file transfer protocol (FTP) server, can be exploited by easy “Google Hacking” techniques. It’s important to leverage a vulnerability management program to set up regular scanning of public-facing assets to help you minimize risk. The results of a risk scan are best used to configure your network and host-based compensating controls to avoid exposing any unwanted information.
2. What vulnerabilities exist in my network backends?
To understand a network’s weaknesses, we recommend scanning it locally from a vulnerability scanner hosted in your environment or an agent installed on the host. A local scanner in your environment using an authenticated scan can provide the most thorough results. To obtain that level of detail, you will need to provide credentials to assess the target. If this is difficult, you have the option of using agents, which don’t require credentials as they are already running on the host itself.
Once the authenticated scan is complete, you will have a full list of the vulnerabilities to which the asset is susceptible. The next step is to understand the context around the threat of each of these vulnerabilities. Understanding the current real-world risk information for each vulnerability can help you better prioritize your remediation efforts based on the likelihood a vulnerability is to be used, allowing you to utilize your scarce security resources more effectively.
It is just as important to be aware of configuration and compliance issues. You want a vulnerability management solution that includes the ability to audit the configuration of a target against a number of compliance standards and best practice templates, including those from the Center for Internet Security (CIS), the Defense Information Systems Agency Security Technical Implementation Guides (DISA/STIG) and payment card industry (PCI) standards, as well as your organization’s own internal standards.
3. How do I know that my web apps are secure from an attack?
One of the fastest and most efficient ways to secure your web apps from an attack is to deploy an automated web app scanning program. Dynamic Application Security Testing (DAST), for example, is an automated penetration test that will interact with the web app in a safe way and assess the response to show if there are weaknesses in the coding of the web app.
A DAST tool can go deeper than an operating system (OS) and application-level vulnerability and configuration audit to dynamically assess a web app. It helps ensure that the app is not vulnerable to an unanticipated action, or logic flaws. It also helps validate the running environment, like structured query language (SQL) injection, to find any coding flaws and misconfigurations. It is also important to point out that some legacy web app scanners can’t keep up with the modern applications. A modern DAST tool not only can scan traditional HTML web apps, but also supports dynamic web apps built using HTML5, JavaScript and AJAX frameworks, including single-page applications.
“Shift Left” is a best practice that integrates web app security into the software development life cycle (SDLC). Doing full testing of your web apps in a pre-production environment, and automating security scanning every time the code changes can help increase your organization's overall security posture. This helps expose vulnerabilities in your web apps sooner, reduces the cost of fixing those problems and limits the potential for damages due to a compromise.
4. How do I scan for PCI compliance?
The PCI Data Security Standard (DSS) includes a requirement (11.2.2) for a quarterly external scan and an attestation provided by an Approved Scanning Vendor (ASV). You should combine both the public risk scan result with a web app scanning solution from an ASV to provide attestation against public web apps and assets. Using these scan results, you can go through the process of gaining compliance certification against the 11.2.2 requirement to share with any interested parties. Leveraging pre-configured PCI templates and defined dispute processes can help streamline this effort.
Summary
As you can tell, there is no silver bullet to assess your public facing assets and web apps to determine the risk of cyber criminals. That said, there are best practices that can help you understand and minimize your risk. To find out more, please check out the “Top 5 Web Application Security Practices” eBook.
Learn more
- Read the blog: Web Application Security: 3 Lessons We Learned From Formula 1™ Racing
- Attend the webinar: Three Ways You Can Improve Web App Security