Globally, the number of web applications has quintupled over the past decade, and the number of records compromised by data breaches has grown even faster. According to Verizon’s 2021 Data Breach Investigation Report, two in five breaches originate from a web application. No organization is immune, especially as businesses and agencies of all sizes continue to develop their own custom web applications and continue to expand their attack surface in the process.
In a new episode of MeriTV, Laura Paine, Director of Product Marketing at Invicti Security, discusses the burgeoning web application landscape and this growing security problem. She examines the role of leadership and agency culture in IT security, as well as DevSecOps; and it describes concrete steps to improve the security of web applications.
“Web applications are really the basis of how we live and do our business… Everything we interact with online is based on a web application,” Paine noted.
The cyber threat to federal agencies was laid bare in Microsoft’s digital defense report in October, which showed that 48% of nation-state cyberattacks between July 2020 and June 2021 were aimed at governments. All of these attacks, except 2%, targeted the US government.
“Malicious attackers look for the fruit at hand when they try to enter an organization. … It might not be the critical web application they’re trying to get into, ”Paine explained. “The example I like to use to illustrate this is from Equifax. When they were breached in 2017, it was actually through a customer complaint portal, which was a web application that contained a known vulnerability. And I think most of us know the kind of damage that has done to Equifax, and how it has affected the lives of millions of people around the world.
Web application security “requires a fundamentally different approach than organizations have done in the past,” Paine advised. “It must enable organizations to analyze and secure all applications and web services available to them on a continuous and automated basis throughout the software development lifecycle. “
DevSecOps – the “shift left” movement to embed security into applications from the design stage – is essential – but it’s not enough, Paine noted, because it focuses only on applications under development.
“Shifting application security to the left… is a must, but we also need to make sure that we continue to analyze applications on the right, also during testing and production,” she said.
Paine described a four-step process for better application security:
- Find and catalog all apps in an organization’s portfolio
- Analysis of all applications in development and production
- Fix vulnerabilities with automated workflows
- Continuous analysis of applications for vulnerabilities
The latest guidance from CISA and NIST recommends continuously diagnosing and mitigating security vulnerabilities for all web applications, Paine noted.
“This is not a one-size-fits-all business,” said Paine, who envisions a world where organizations can effectively analyze and secure all of their web applications and application programming interfaces throughout the software development lifecycle, while throughout their portfolio.
For more information on Paine, check out the full interview.