search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
MSP Focus Thinking about security? Don’t forget web applications


When we think about security, it’s easy to think about desktops and mobile devices first. For some, security around cloud services will be top of mind. However, you can’t overlook security for web applications as Karun Malik, vice president channels and strategic alliances at Qualys, explains.


W


eb applications provide employees with fast access to services through their browsers, so that they can use them from devices that


suit them. They should have security baked into them from the start but this can be overlooked in the rush to get services deployed. In the anonymised research data from our TruRisk Research report covering more than 370,000 web applications, we found that there were more than 25 million vulnerabilities detected over twelve months. To put it another way, each web application had an average of 66 vulnerabilities that would need to be fixed. If your customers have web applications, then they


may have security issues that have to be dealt with. Looking at the Open Web Application Security Project classifications for these issues, the most common problems with web applications are misconfigurations. This group made up a third of all issues detected. This covers all the instances where web applications were set up with improper controls, so that these applications were not properly secured to follow industry best practices. A good example of this is where the default set-


up is not properly configured and hardened, or where default permissions or passwords are not changed. This is the kind of oversight that you can miss in the rush to get something finished, or where security is not considered in the set- up process. Similarly, another common misconfiguration is giving out too much information in error messages or stack traces for errors. Using this kind of data, an attacker can find potential gaps in your security. There are other problems that can affect web


How to improve security Web applications can be fast to implement and easy to use, so security can get overlooked in the rush to get things completed. Offering security scanning and best practice advice can help your customers see where problems exist. This should be part of a proactive approach to security in general. One issue that can come up is that people don’t


know that their applications are insecure, or they may not even know that they have a problem in the first place. Alternatively, they assume that because their system is small that it won’t be found and attacked. Sadly, this is not the case. Attackers often operate


using automation to detect issues rather than targeting any one organisation, so any business that has a defect in their web application will be at risk.


“Broken


access control can mean that


attackers can get into


security. Broken access control can mean that attackers can get into areas that they should not, while poor or missing encryption allows attackers to steal data. Issues around web injections are also still common, despite being known since the 1990s. This category includes techniques like SQL and command injection attacks, cross-site Scripting (XSS), and cross-site request forgeries (CSRF). These approaches allow attackers to carry out their own transactions or steal data from web services due to applications not being built to handle exceptions or attacks properly.


www.pcr-online.biz


areas that they should not, while poor or missing encryption allows attackers to steal data.”


In our data from around 200,000 external-facing web applications, we found nearly 65,000 instances of malware. Attackers use custom source code to infect any browser that connects to the web application, then attempt to send users to blacklisted sites, steal payment card information and gather user credentials. They can also use compute resources to mine cryptocurrency for the attacker, providing them with ‘free money’ from someone else’s resources. In order to get ahead of the situation, look at how to bundle web application security alongside other security services and provide customers with more insight into any risks that they might have to deal with. This should be a continuous process, helping customers understand what their problems might be and where they can get


ahead of them. At the same time, you can help instil some best practices around secure


software development so that these kinds of problems don’t come up again in the future. By carrying out scans earlier in the development process and using tools like OWASP’s Top Ten guide, you can point to where customers can fix issues before they affect web application deployments. Your customers can avoid the majority of web security issues by planning ahead, so provide them with the tools and data to achieve this goal.


July/August 2023 | 15


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52