Worldwide, the number of web applications quintupled over the last decade, and the number of records compromised by data breaches grew even faster. Two in every five breaches originate in a web app, according to Verizon’s 2021 Data Breach Investigations Report. No organization is immune, especially as businesses and agencies of all sizes continue developing their own custom web apps – and continue widening their attack surface in the process.
In a new MeriTV episode, Laura Paine, director of product marketing at Invicti Security, discusses the burgeoning web app landscape and this growing security problem. She examines the role of agency leadership and culture in IT security, as well as DevSecOps; and she outlines concrete steps to improve web app security.
“Web applications are really the basis of how we live our lives and how we do business .… Everything we interact with online is based on a web application,” Paine noted.
The cyber threat to Federal agencies was laid bare in Microsoft’s Digital Defense Report in October, which showed that 48 percent of nation-state cyberattacks between July 2020 and June 2021 targeted governments. All but 2 percent of those attacks targeted the U.S. government.
“Malicious attackers are looking for the low-hanging fruit when they are trying to get into an organization. … It may not be the business-critical web application that they are trying to get into,” Paine explained. “The example that I like to use to illustrate this is with Equifax. When they were breached in 2017, it was actually through a customer complaint portal, which was a web application that had a known vulnerability in it. And I think most of us know the kind of damage that created for Equifax, and how that touched the lives of millions of people around the world.”
Web application security “needs a fundamentally different approach than what organizations have done in the past,” Paine advised. “It needs to enable organizations to scan and secure all of the web applications and services that they have in a continuous and automated fashion throughout the entire software development lifecycle.”
DevSecOps – the “shift left” movement to build security into applications beginning at the design stage – is critical – but it’s not enough, Paine noted, because it only focuses on applications that are actively being developed.
“Shifting application security left … is a must, but we also need to make sure that we keep scanning applications on the right, in the test and production stages as well,” she said.
Paine outlined a four-step process to better application security:
- Finding and cataloging all applications in an organization’s portfolio
- Scanning all apps in development and production
- Remediating vulnerabilities with automated workflows
- Continually scanning applications for vulnerabilities
The latest guidance from CISA and NIST recommends continuously diagnosing and mitigating security vulnerabilities for all web applications, Paine noted.
“It’s not a one-and-done activity,” said Paine, who envisions a world where organizations can efficiently scan and secure all their web applications and application programming interfaces across the software development life cycle, throughout their entire portfolio.
For more insights from Paine, check out the full interview.