More than 86% of web applications have critical vulnerabilities that can lead to compromise of the resource and theft of confidential information. Saving and ignoring information security can at one point play a cruel joke – cause financial damage and reputation losses. In this article, you’ll find out how to make sure that your online data is secure.
Websites are still the most easily accessible and vulnerable place for hackers to attack. In most cases, some of these attacks fall on various B2C / B2B services that provide various services to their customers. For an attacker, first of all, money or cryptocurrency on accounts is of interest, if we are talking about crypto exchanges and online exchangers, as well as any data that can be stolen and subsequently monetised.
Nowadays, there are two types of attacks:
1. DoS (Denial of Service) – an attack aimed at disabling a website. The company’s website stops working and, as a result, it stops attracting customers and making a profit This type of attack is a popular method for pressure and elimination of competitors, especially when the market becomes crowded for several large players. For some companies, a few days of downtime can cost tens or hundreds of thousands of dollars in losses. The customer of such attacks in most cases remains unpunished since it is almost impossible to collect the evidence base. If earlier it was possible to trace the cash flow chain of the customer-executor, then with the advent of cryptocurrencies, this is much more difficult.
2. Attacks aimed at compromising a resource. In this case, the web resource is investigated for vulnerabilities, the exploitation of which leads to full or partial control over the site, theft of confidential information, penetration into the company’s internal network, and attacks on application users.
Safety as a process
The only rational solution for securing a web application or website is to use an integrated approach throughout the entire software development lifecycle. We can advise using both technical means of protection and organisational measures.
Security under development
When ordering the development of an application, you should discuss security issues at the stage of signing the contract. Clarify whether the company has a specialist in charge of application security, or whether the company uses the services of external auditors. This stage is very important, because later when many vulnerabilities are discovered, it will be easier to rewrite the application from scratch than to fix all the holes.
Information security outsourcing
If your project is already working, then consider managed IT services. Hire companies specialising in application testing to conduct penetration tests and security audits of the source code. Each of the services has its own advantages:
It is important to understand that the audit shows the level of security at the time of testing. The dynamics of the growth of modern Internet projects and constant updates: adding new functionality, updating the code, expanding the infrastructure leads to the emergence of new untested areas that can potentially contain vulnerabilities.
Therefore, you should not forget to conduct testing periodically, at least once a year, and constantly monitor the logs for security incidents.
Technical means of protection
Using DoS protection as needed, implementing WAF and using vulnerability scanners is an integral part of a comprehensive approach and serves as additional protection. These tools are used as an aid in a bundle of audit tests. Remember – WAF prevents only a part of targeted attacks based on already defined and known signatures and patterns; business logic vulnerabilities are outside the firewall’s zone of use. During testing of some projects, it is possible to find out the real IP address of the application, then WAF becomes absolutely useless, since all attacks bypass it, and not through it, as was originally intended. Vulnerability scanners make it easier for the auditor during testing to collect information about the need for service/software updates, identify unsafe configurations, open ports and analyse surface vulnerabilities, but they are by no means a panacea and, as tests show, do not provide 100% detection of all threats.
Many attacks on companies are carried out using social engineering. The person still remains the most vulnerable link in the security chain. An attacker can easily ask to check for “problems” in his personal account, where malicious code has already been placed, with the help of which one can easily steal a support employee’s session and gain privileges in the system.
Or, posing as an employee of the IT department of the same company, take advantage of the employee’s trust and carelessness, referring to a malfunction in his computer, and ask for information to access the system.
This applies to large companies where employees from some departments do not know the IT department specialists in person, so such a call and request will not raise any suspicions. The use of password policies and regulations, even for ordinary personnel, is the most important rule for ensuring security within the company.
Trust support only to experienced professionals. Send your programmers to web application security courses. At the moment, there are several training centres in Australia that can offer such courses. As a result, you will get a full-time employee who understands the methods of protecting your project.
As you take stock and think about the most effective way to protect your projects, remember that security is a process, not a one-time event. Do not forget about banal software updates and the use of safe programming methods.