6 tips for more web application security

When it comes to tapping into valuable corporate customer data and penetrating back-end systems, web applications remain the most popular gateway. Attackers exploit vulnerabilities in the application itself or the platform on which it runs to gain access to the data. Last year, attacks on web applications accounted for 32 percent of all hostile activity worldwide, according to the 2019 Global Threat Intelligence Report. Five industries are particularly affected: Finance, "Business and Professional Services," Healthcare, Retail, and Manufacturing. At 85 percent, the retail industry takes a top spot in the EMEA region. In this case, a stronger Internet presence through web stores or customer portals in combination with sensitive customer data means a larger attack surface and plenty of "fodder" for cybercriminals.

In most cases, web applications are hacked by injecting SQL commands. In addition, incorrect or faulty encryption, missing authentication procedures and cross-site scripting (XSS) are a problem: With XSS, attackers exploit vulnerabilities to smuggle in a script that is then executed in the user's browser. Since hackers take the path of least resistance, they look for unpatched vulnerabilities or misconfigured systems. Often, it is not the new zero-day exploits that are the bane of companies, but vulnerabilities for which a patch has long been available. The trend towards microservices, which are often created in Node.js and Spring Boot, also exacerbates the problem.

The following recommendations from NTT's Security Division help organizations defend their web applications and network against potential attackers:

• Patch, patch, patch: Good patch management for operating systems and applications is a top priority. Under no circumstances should less critical systems in the network be forgotten; in the absence of patches, they can become a gateway for hackers.
• Strict Access Management: Access authorizations should be carefully checked and restricted as far as possible. Wherever possible, passwords should be replaced by strong authentication.
• Segmentation of the network environment: Enterprises should divide applications and infrastructure into segments so that threats can be contained and prevented from spreading to other areas.
• Security by Design: The topic of security should be considered from the outset during internal software development and system and network configuration. In addition, only third-party applications and tools with appropriate proof should be used.
• Implementation of a Web Application Firewall (WAF): A WAF protects web applications by controlling traffic between web servers and clients at the application level. It filters, analyzes, and monitors HTTP traffic.
• Regular vulnerability check: Companies should periodically scan their enterprise IT for vulnerabilities, prioritize scan results accordingly, and make adjustments to internal processes and controls as necessary.

"The topic of web application security is still treated very stepmotherly in many companies. Most do a penetration test when the website goes live, and then nothing happens. NTT subsidiary Whitehead Security releases an annual report on the number of open and unfixed vulnerabilities in web applications they find via their penetration tests. The results are startling: the average has always been around 380 to 390 days of open, unfixed vulnerabilities in web applications over the past few years. It varies somewhat from industry to industry," explains René Bader, from the Security Division of NTT Ltd. "Companies can't just look the other way on this issue. Also, given the fact that more and more organizations and developers are adopting a DevOps approach, which promises faster development and deployment of applications, but at the same time increases the need for security due to a lack of test automation, for example."

Press release NTT, Security Division