“Data is the new oil.”
It has been over a decade since Clive Humby, a data science pioneer and the co-founder of global customer data science company, Dunnhumby, said this. He used the expression to describe how data can be a potential asset if processed and analyzed. Even after so many years, the phrase still hails in the data-driven world. Organizations are finding ways to use data to make money but in some unfortunate situations, data can make you lose that money too.
From March to October 2018, Hong Kong-based airline Cathay Pacific Airways was under a cyberattack. It compromised approximately 9.4 million customer personal data, including financial details of around 380,000 passengers . After the incident, shares of the airline dropped more than 6% . The incident briefly outlines the negative impact of a breach. F5 Labs published research in 2018 illustrating that web and application attacks contribute 30% of all security breaches. This makes them the two biggest causes of security breaches. The research also reveals that on average, a serious web application security incident costs about $8 million .
Impactful Tips to Strengthen Your Organization’s Application Security
A concrete application defense strategy consists of a better understanding of every application with a detailed report on their attack surface. But this is not enough, you need to follow other effective practices to keep your application security intact.
1. Complete understanding of all installed and being in use applications
With each installed application, concerned professionals should be aware of the security details related to it. Ranging from the databases it is associated with to its access to use of other applications, all of it should be known to an Application Security (or AppSec) engineer. This is definitely going to be a tough task, but it will certainly fortify your organization’s application security. Have a clear understanding of the applications that your organization uses and the applications that are internally developed. For the required apps, it would be best to update them regularly, scan for threats, and maintain relevant records of them. A Cloud Access Security Broker (CASB) can be helpful, in case of external applications, to provide an extra layer of security for end-users with useful features like tracking app usage. For internal applications, it is always better to evaluate their security controls from time to time. You can also perform a penetration test, once or twice in a year. Other than that, build a secure development environment for them.
While the cybersecurity tool market is crowded with services and products that claim to be the cutting edge and most advance in preventing cyberattacks, a good AppSec program begins with the basics of the identify what you have and the possible vulnerabilities associated with it.
2. Minimizing the attack surface of an application
It all starts with the basics—good cyber hygiene.
Any part of an application if publicly visible or available, either directly or indirectly, is susceptible to cyber threats. The multiple layers and tiers of an application offers enough opportunity for cybercriminals to attack an application. This attack surface can be exploited by malicious hackers in various ways. In addition, the tendency to share data with third parties also pose as threats to the application. To avoid such attacks, you need to control the user access to the application, monitor traffic flow, and regularly release required patches. Having an efficient web application firewall (WAF) will also help you. A few of these firewalls come with features like virtual patching. With this virtual patching feature, WAF can scan incoming network traffic and block any known threats trying to harm the application. It uses the signature auto-update functionality of WAF with threat intelligence feeds to ensure that the user remains protected against the new vulnerabilities. This early identification of vulnerabilities helps the concerned IT team patch the exploit as soon as possible after proper testing. It has been noticed that security teams sometimes don’t enable important security blocking features on WAF, and this is one of the reasons why security incidents occur. The security team should also segregate low-priority applications from high-priority applications. This will certainly give enough time to the security team to take proper preventative measures to protect high-priority apps whenever a low-priority application has been targeted. To segregate applications, you can use code, separation of lower privileged users, and sandboxes, through firewalls with server isolation. Another impressive tip would be to eliminate the additional lines of code used in the application development. This won’t only be minimizing the attack surface of the application but will also reduce the app footprint as well.
3. Risk analysis and prioritizing your defense strategy
Once you are done with the above-stated first two application security controls, list out all the applications using additional resources. Your risk analysis process must involve unbiased decision-making with a perpetrator’s point of view. You should be able to analyze what data or service can fall prey to the malicious intent of a cyber attacker. Test your applications to look for flaws in the code, especially the ones which have the potential to be exploited. Testing and scanning this internally developed code can be done using scanners or code reviews. You can also outsource this task to get a completely new perspective to it. This is one of the best methods to integrally assess and analyze the risk involved with your applications.
4. Powerful tools
After taking care of the basics, now you are ready to explore more advanced solutions. Your application security strategy must include powerful yet flexible solutions to detect, prevent, react, and recover from ongoing and upcoming threats. With other technical controls, it is necessary that a WAF, a CASB, and vulnerability scanning should be extended to all its tiers. This offers assured protection to your application. Encrypting data or communication flow of the transport layer is another impactful application security control. Not only that, using HTTP Strict Transport Security (HSTS) for web servers and protecting DNS servers with DNS-based servers enhance the security of your applications.
With all these app security controls, the security team should be able to understand the configuration of the product. Many of the incidents occur because of misconfiguration and lack of understanding of security solutions. After setting up a defense strategy based on these mentioned controls, you will surely witness a drastic change in your team’s problem-solving capabilities.
Learning Application Security Controls with Proper Practical Knowledge
If you are passionate to learn various application security controls, then EC-Council’s Certified Application Security Engineer (CASE) is your one-stop shop. It is designed for experienced professionals such as application developers and anyone from an IT security background. It is mapped in compliance with the NICE 2.0 framework, making it in complete accordance with the current job market demand.
Sources https://www.independent.co.uk/travel/news-and-advice/cathay-pacific-hack-customer-details-security-breach-airlines-cyber-attack-a8600066.html  https://www.cnbc.com/2018/10/24/reuters-america-update-1-cathay-pacific-shares-hit-9-yr-low-after-data-leak-affects-9-point-4-mln-passengers.html  https://www.f5.com/content/dam/f5-labs-v2/article/pdfs/F5Labs_2018_Application_Protection_Report.pdf