It will not come as a surprise to learn that many of today’s applications are more complex than those used on the internet only a decade ago. While advances in this area have transformed the face of information exchange and accelerated the move to digital-first, they have also introduced a number of new, often overlooked, security vulnerabilities.
Unfortunately, cyber-criminals have wasted no time in taking advantage of this expanded threat landscape, attacking both the “front end” of applications, the APIs, as well as the applications behind them. Indeed, threats to the application layer have been exacerbated by the mass shift to online due to the COVID-19 pandemic. According to recent research, for example, 70% of IT and security professionals admit that their application portfolio is more vulnerable than it was a year ago.
As attacks grow in sophistication and volume, it is increasingly crucial that businesses become aware of the different threats they face and implement robust application security tools and processes to mitigate these.
We are now operating within a containerized, microservices-orientated environment, which looks a lot different from IT architectures of the past. This new way of working enables a variety of key benefits from flexibility to productivity and scalability. At the same time, however, the increased level of complexity has brought with it a greater level of risk.
While monolithic applications needed direct connections, modern ones have expanded from the enterprise computer room to the data center and into the cloud. Within this highly intricate environment, attack surfaces have grown to include APIs — the communications “glue” that allows services to interact with one another — and content management systems (CMSs).
Not surprisingly, hackers are hyper-aware of this complex infrastructure underpinning an organization’s online presence and can use everything from DDoS attacks to malware to threaten the application layer.
One of the most dangerous methods used by hackers is launching a targeted attack against the front-end systems. This is a direct result of a hacker spotting a vulnerability in an existing program within an organization’s web presence. These types of attacks are carefully thought-out, take place on various fronts and are commonly after sensitive data such as customer or patient information, financial credentials or intellectual property.
Targeted attacks such as these are effective, but they cost a significant amount of time, effort and risk to execute. As a result, in most cases, cyber-criminals turn to simpler and cheaper tactics such as bot-driven reconnaissance. This involves bots scanning and probing to gather information about web applications and underlying infrastructure, including the APIs and CMSs. Any insight gleaned can be matched to known unpatched vulnerabilities, which can then be exploited and used to launch a focused attack.
Another type of attack can be described as a “vertical cascade.” This is when a particular vulnerability is discovered during a recon, and with further analysis, a hacker confirms that the vulnerability is peculiar to the same “industry vertical” that the initial victim company operates in. This is often a result of customer requirements shared by the industry and can consist of a plug-in, a routine or a mechanism developed for or utilized uniquely by that industry. The vertical cascade method has been particularly popular over the last year as organizations scrambled to make their websites more dynamic amid the pandemic, often leaving security gaps.
Optimizing Application Security
Protecting the application layer from these different attack methods is challenging. Keeping track of assets and where they reside is a crucial first step. This involves having a clear awareness of what is being used to power applications, including the APIs and CMSs in use.
A way to acquire this knowledge is to implement an API-capable cloud-based web application firewall (WAF). This protects against common attacks, no matter where the application lies, such as threats detailed in the OWASP Top Ten — a document that highlights the most critical risks to web applications. A WAF also enables organizations to do “virtual patching,” placing an additional layer of protection, similar to a band-aid, over the vulnerable application to prevent attacks on it being successful. This provides a short-term fix while security teams work to solve the wider issue.
As a fundamental part of the application security stack, it’s important that WAFs are kept up-to-date, which can be a challenge within itself. Research from the Neustar International Security Council, for instance, found that 85% of organizations invest significant time modifying their WAFs to keep ahead of cybersecurity threats. Steps can be taken to augment efforts with third-party, always-on security resources to ensure optimal performance.
Finally, keeping up with industry exploits is key. Hackers are opportunistic, and if they spot a piece of exploitable code that has been widely adopted within a certain sector, they will undoubtedly use it to their advantage. The sooner a virtual patch is deployed, the sooner they will move on.
Application security is challenging to get right, but with a cloud-based WAF, always-on monitoring and a good understanding of industry vulnerabilities, an organization can benefit from technological advances in code while guarding against evolving application attacks.