Can a Web App Ever Be Truly Secure?

Despite a wealth of vulnerability detection tools, there remains a vast array of security breaches

Given the devastating consequences of a vulnerability breach, including loss of trust, brand damage and financial sanctions, it’s perhaps no surprise how much software security is talked about and worried over.

Secure applications and data privacy are regularly a top-level concern of all organizations no matter their market sector, size or geography. Barracuda’s State of Application Security in 2021 report surveyed 750 decision-makers in application security representing organizations with 500 or more employees from the US, Europe and the Asia–Pacific region. It points conclusively to the role of vulnerabilities of web applications in the breaches that organizations experience through their software applications.

This isn’t a surprising outcome considering the dominance of web applications and the global transition to remote, online working. But web applications have been a constant source of vulnerability since the early days of the Internet. The rise of rich Internet applications, paving the way for intuitive any-time, anywhere engagements on any device, has exacerbated the situation.

The reality is that web applications present too easy a vulnerability point because of what development teams do — and don’t do. Too many basic security vulnerabilities exist in organizations because development teams and their security auditors leave themselves wide open. By not covering up the tracks to common folder locations where sensitive information can be obtained, for example, they allow an enterprising hacker to gain easy access.

Disconnects in the security posture between different teams also present gaps that can be exploited. For too many companies, there’s still too little sharing of either the security policies or the checklist of common vulnerabilities on which teams are regularly caught out.

We know that the landscape of attack vectors is constantly changing. Barracuda’s survey highlighted bot attacks, as well as API security and software supply chain attacks. But there’s a list of older methods that continue to be stubbornly prevalent: cross-site scripting, cookie poisoning, session hijacking, credential stuffing and SQL injection, to name but a few.

It’s hard not be to be critical of developers of web applications. There are, after all, numerous studies pointing to their culpability in building in or leaving vulnerabilities. Yet they’re aware of the importance of making web applications secure given that these apps are such a common access point for cybercrime.

For those who care about meeting the expectations of customers, whether they’re inside or outside the organization, one of your top priorities should be to reduce risk from engaging with the web applications provided. There can be no excuse for not addressing this.

There are many suppliers that can provide tools and audit services that can take web application security and privacy to a higher order of operation and robustness. The numerous products built on open-source support can also offer cost-effective access. A strong testing regime, underwritten by automated support to allow for more effective and faster test coverage, is essential.

Two important bodies, the SANS Institute and The Open Web Application Security Project (OWASP), have worldwide recognition in monitoring and providing the leading security checklists for web application design. OWASP has embarked on a Secure Headers Project that delivers HTTP response header descriptions, which, if used, will harden the security of applications.

Behind the need for security education, training, tools and best practices lies a simple fact: continuous checking not only helps to plug the gaps, but also creates an environment for speedy detection and resolution.

Securing web apps involves recognizing that vulnerabilities will always exist because nothing is infallible. Ultimately, giving development and security teams the time and space to regularly check with the best practices and tools in place will reinforce the security of web applications considerably.

A version of this article was first published by Computer Weekly on 14 July 2021.