Maher Shehab, Security Solutions Architect at Qualys, lays out the five steps that organizations should follow in order to bolster their web-app security defenses.
When crises hit, survivors pivot. Pandemic lockdowns sent the United Arab Emirates’ forward-thinking government and its resilient businesses into adaptation mode. As in-person volumes of visits to bureaus and branches dwindled, the nation once again became a factory of digital experiences. One of the results was a conveyor belt of Web applications. Consumers were delighted. Threat actors were enthralled.
“In the 2023 Qualys TruRisk Research Report, we examined more than 2.3 billion anonymized vulnerabilities discovered around the globe in 2022. Among 370,000 Web applications, we found more than 25 million vulnerabilities. The most common issue, found in a third of cases, was “security misconfiguration” as classified by the Open Worldwide Application Security Project (OWASP). Covering the fundamentals will prevent the worst Web application issues.”
Maher Shehab, Security Solutions Architect at Qualys
Web applications are attractive targets for cybercriminals. They tend to be riddled with vulnerabilities and their abundance means plenty of opportunities to create havoc. In the digital security industry, we have been tracking the uptick in Web app targeting and we understand the most popular methods. This knowledge has been out there for some time, for all cybersecurity stakeholders to digest. Nonetheless, little progress appears to have been made in hardening corporate Web applications.
DevOps teams are under pressure to release experiences into the wild at scale and with ever-shortening development cycles. Not only is cybersecurity not baked in at, say, the authorization and access-control levels, but vulnerabilities from third-party add-ons and plug-ins find their way into the mix. All such issues present opportunities for the “wrong sort” to gain access to sensitive systems and data. They can create their own accounts for persistent dwelling, hijack APIs to redirect resources to dangerous locations, laterally move across systems and platforms, and more.
Insecure by default
In the 2023 Qualys TruRisk Research Report, we examined more than 2.3 billion anonymized vulnerabilities discovered around the globe in 2022. Among 370,000 Web applications, we found more than 25 million vulnerabilities. The most common issue, found in a third of cases, was “security misconfiguration” as classified by the Open Worldwide Application Security Project (OWASP). Covering the fundamentals will prevent the worst Web application issues. Many studies have revealed the urgent need for security to be a basic brick in application development, not an afterthought. It should be there from the start. “Secure by design” should be a song sung by every DevOps team across the region, with the understanding that this adds yet another pressure. Devs need help, so in this spirit, here are five best practices they can adopt to help them on their way.
1. Script your security testing
No app, no revision, no release shall be deemed production-ready until it has passed security testing. If security vulnerabilities are discoverable and fixable when apps are live, they should be discoverable and fixable during the design phase. Therefore, test as you build. There is an opportunity during design to tweak development and security processes so that these traditionally disparate functions collaborate and become more intertwined over time.
2. Identify security champions and empower them
As your security operations become more collaborative with DevOps, you should start looking at the development team as potential security champions. Whether through formal knowledge transfer or osmosis, they will become less dependent on security teams for testing. Over time, this should lead to more autonomy and allow DevOps to regain ownership of the development process while implementing security best practice.
3. Test security on two fronts
Application security uses two main tools for the most effective result. On one side, we have automated software scanning and on the other, penetration testing carried out by human teams. The two approaches complement each other, as the strengths of each balance the weaknesses of the other. The automated scan is very good at providing frequent updates on the shape of the application. Meanwhile, team testing delivers a real-world scenario of attacker activity (and likely success) that gives development teams crucial context for how application logic might be manipulated in a production setting.
4. Address risk, not symptoms
This is not only a way of urging development teams to fix vulnerabilities as they design their app. It describes a pragmatic, business-centric approach to app security. Flaws may be found, and fixes devised, but it may be impractical or even damaging to apply them. For example, if an app is part of core business operations, generating revenue or controlling a central pillar of day-to-day commerce (say, order fulfilment), then taking it offline for an update, might not be practical. For such issues, it is important to involve all line-of-business, DevOps, and security stakeholders to weigh the business benefits against the potential losses in allowing a flawed application to remain up and running.
In these discussions, business imperatives often necessitate allowing the symptoms to persist and resolving risk issues by deploying Web Application Firewalls (WAFs), which provide temporary security for applications. However, since dogged attackers can find their way around WAFs, DevOps, under guidance from security teams, can subsequently deploy remediated code that fixes the underlying problem.
5. Keep it real
Cybersecurity involves more pragmatism than many may realize. Picking your battles is an idea that may seem at odds with a calling that should be about plugging all holes. But not all leaks bring about the collapse of the dam. And so, some battles are more important than others. As with other business functions, DevOps and their new partners in the SOC should direct resources to where they can do the most good.
We know that the GCC region suffers from a lack of human resources and a formidable volume of cyberattacks. Remember that developers, rather than security personnel, may be the ones deploying updates. Get to know developers’ pain points and help them achieve objectives in a way that also improves security for Web applications. When taken together these require a prioritization of issues. Account for everyone’s goals and for capacity and be realistic.
Safe and sound
Web applications are going to continue to rise in prominence and cycle through versions with increasing frequency. And yet we must face up to their potential for abuse by our adversaries. Apply these best practices, and sleep well.
About the Author: Maher Shehab is an accomplished professional with a strong foundation in computer science and a passion for cybersecurity. Maher hold a Bachelor of Science (B.S.) degree in Computer Science, along with a Masters’ in Business Administration (MBA), which has equipped him with a unique blend of technical expertise and business acumen. Maher’s 10+ years journey in cybersecurity has led him to specialize in identifying and mitigating vulnerabilities within diverse digital landscapes. In his current role with Qualys, he has had the privilege of assisting organizations across various industries in bolstering their security postures, identifying their risks, and helping them to protect, prioritize, mitigate, and reduce the risk accordingly.
