web app penetration testing

A Beginner’s Guide to Web App Security

Cybercrime continues to evolve and impact more people and businesses than ever before. Enterprise stakeholders must ensure they understand what could happen if their network is not secure and how they can protect their business online.

Web apps today are a common source of security breaches for many enterprises because they lack necessary security measures. Boosting the security for web apps enables stakeholders to reduce the likelihood of a security breach for their enterprise.

What Are Web Applications?

Web applications are essentially computer programs that run off a server (or network of servers) and load inside a user’s web browser. They have an interactive component so users can use the software within a web browser without having to reload the page.

They are not simply static websites that just display information, such as a local plumber’s website. A web app could be used by a business to communicate specific information with customers, such as when a customer logs into their online bank account to view recent transactions. Or, a web app could be used for employees within an organization to collaborate, such as a shared calendar or messaging client.

Web apps are used in large numbers today. In fact, you’ve probably used a web app multiple times today without even realizing it. Because web apps often contain large amounts of personalized user data, they tend to be a prime target for security breaches.

A Brief History of Web Applications

In the early days of the internet, websites were often used for only disseminating information. A user could not necessarily interact with a website other than to read the information the website displayed.

But hackers were still prevalent and often used phishing scams to steal data that wasn’t properly secured. Eventually, scripting languages were designed to make it possible to do more online. Users could then start to interact with the website, even if it was only in basic ways such as requesting certain information.

One example of this is the search engine. Search engines were created so the user could input a keyword and obtain a list of websites that include that keyword.

Since the beginning, web development has become far more complex, leading to the increase of web applications that allow us to do so much more online. It’s now possible, with modern web apps to file taxes online, check bank accounts online, interact with businesses, watch movies and much more.

Current Web App Use Globally

In 1995, only .4% of the world’s population was online. By September 2009, 25% of the world’s population was online. As of 2017, 54.4% of people around the world are online. With this increase in overall internet usage has also come an increase in web apps for both personal and business use.

Today, breaches of web apps make up around 40% of all internet breaches that occur. The number of web app breaches has risen 300% since 2014, with this number increasing every day. The biggest risk is public-facing web apps, which are those that consumers use to interact with a business.

Recently, many web application breaches are due to simple vulnerabilities that were overlooked when the web app was originally developed. One of the reasons for this is that many web apps are not developed by the company using them, but by a third party. The third party might include no or minimal security measures designed to prevent these breaches, leading to an increased chance the web app will be breached at some point.

Best Practices for Keeping a Web App Secure

There are several ways to keep a web app as secure as possible. Stakeholders need to be aware of potential vulnerabilities in the web apps they develop, and what can be done to minimize the chance of a breach.

  • Create a Web Application Model
    Knowing what apps are used and what their vulnerabilities might be can help determine where security needs to be focused. Creating a web application model helps keep everything organized so vulnerabilities can be discovered and patched before they’re used in a breach.
  • Use Existing Technologies
    Using existing technologies designed to keep information more secure is the best way to prevent a breach. It’s important to make sure these are used in all web apps to secure the apps and lessen the chance a breach will occur.
  • Use Multifactor Authentication
    Using more than just a username and password to log into a website helps make the website more secure. These can be simple to implement and may not be needed every time the user visits the enterprise’s website. For instance, an SMS code can be sent anytime a user logs into the website using a new, unrecognized device.
  • Use Password Managers
    Instead of allowing employees to create their own password, which may not be as secure as the employee would think, businesses can use a password manager and generator. The generator will create secure passwords for the employees and the password manager will help them securely remember the passwords and easily use them to log into different web applications used by the business.
  • Use Backup and Data Recovery
    All web app data should be backed up in case of a breach. Backups should be kept off-premises and should be updated frequently to ensure the most recent data is available when it’s needed. Testing can help make sure the backup is done correctly and ready to use if needed.

Existing Technologies to Help Keep Web Apps Secure

Existing technologies are designed to help keep web apps secure, but they’re not helpful if they’re not being used. Stakeholders and app developers should ensure existing technologies are used where possible for their web apps to help prevent a breach and should keep on top of new technologies as they’re updated to ensure they can be implemented quickly.

  • HTTPS Redirection
    Websites today should be using HTTPS instead of HTTP because of the security. However, many old links will still have HTTP. Instead of having to go through and change all of the pages of an app, it’s a better idea to redirect all of the traffic to HTTPS. This ensures all pages will load securely.
  • TLS 1.2 vs. TLS 1.1
    TLS was designed to help protect privacy and data between two different web applications when they communicate with each other. TLS 1.1 is still secure to use, but 1.2 offers more security features that were not available in 1.1. TLS 1.1 is still PCI compliant, but it is recommended businesses upgrade to 1.2 for added security.
  • XSS Protection
    XSS attacks can occur when information users input is not validated, encoded or escaped. It enables the hacker to gain any information that is retained by the browser. This can be prevented with modern technology through encryption. This should be used for any web app since this is a huge source of security issues for web apps today.

High-Profile Breaches in Web App Security

Many high-profile cyber security breaches in recent years have been due to web application breaches. They affected millions of people, exposing their personal information, such as email addresses, mailing addresses and credit card numbers. These breaches occurred in a variety of different enterprises.

  • Zomato
    Zomato is a web app designed to help people find restaurants. Users who were logged in at the time of the breach were impacted, however those who logged in through OAuth services were not at risk. It is suspected that as many as 17 million people may have been impacted by this breach. Data stolen includes email addresses and passwords.
  • Ashley Madison
    Dating site Ashley Madison suffered a breach in 2015 and had over 300GB of user data compromised. This data, derived from more than 40 million users, included real names, banking information, credit card information, and more. The stolen data was released online a month later by the hackers. Because they failed to secure the data they collected, Ashley Madison was fined $11.2 million.
  • Yahoo
    Yahoo has had numerous breaches, with one impacting 32 million customers. This one occurred because the hacker was able to use forged cookies to access an account without its password. This is an example of why XSS protection is needed, as a lack of XSS protection could have led to the hacker’s ability to steal and forge the cookies for the website.

Web App Penetration Testing

So what can you do to protect your web app and keep it secure? Enterprise owners need to be aware of the vulnerabilities and how they can better protect their business and their users. Today, they can do this with web app penetration testing. This tests the web app for any vulnerabilities before a breach occurs, enabling the business owner to boost their security and prevent a potential breach.

If you need to fully secure your web app, but you aren’t sure what needs to be updated or improved, contact PeopleSec today for help. We offer web app penetration testing as well as other services to help make your enterprise as secure as possible online.