Companies with web apps may not be able to neutralize all threats, but can limit damage

Focusing on highest-value properties, organizations can apply automated protection into software code

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Con­ve­nience has its price. The tru­ism rears its head often in cyber­se­cu­ri­ty, par­tic­u­lar­ly as web appli­ca­tions deliv­ered via the inter­net cloud have come to per­vade dig­i­tal commerce.

Near­ly all busi­ness­es and gov­ern­ment orga­ni­za­tions now offer services—such as online payments—through web appli­ca­tions. And the stag­ger­ing amount of data flow­ing through such appli­ca­tions presents gold­en oppor­tu­ni­ties for hackers.

The enter­prise appli­ca­tion mar­ket was val­ued at about $150 bil­lion in 2015, and it’s antic­i­pat­ed to grow 7.6 per­cent a year from 2016 to 2024, accord­ing to Glob­al Mar­ket Insights estimates.

Relat­ed sto­ry: Ris­ing use of cloud apps cre­ates data leak­age pathways

Not sur­pris­ing­ly, hack­er attacks on web appli­ca­tions are cease­less and con­stant. And enter­pris­es need more effi­cient and quick­er ways to fix their soft­ware appli­ca­tions, par­tic­u­lar­ly in cod­ing and devel­op­ing phas­es, to address vul­ner­a­bil­i­ties before they’re shipped to a cloud serv­er farm, says Chris Pre­vost, vice pres­i­dent of solu­tions at Pre­vo­ty.

Web app secu­ri­ty emerges as niche market

His firm is one of the more recent entrants in the grow­ing busi­ness of cyber­se­cu­ri­ty ser­vices that are mar­ket­ed to web appli­ca­tions and the com­pa­nies whose busi­ness is heav­i­ly reliant on them.

Chris Pre­vost, Pre­vo­ty vice pres­i­dent of solutions

You hear sto­ries about bot­nets that are out there. … A lot of times those bot­nets are con­stant­ly scan­ning web prop­er­ties, look­ing for ways to get in,” Pre­vost says. “They’re throw­ing lit­tle inter­est­ing pay­loads of those appli­ca­tions, try­ing to see if they can make that appli­ca­tion do some­thing that it wasn’t sup­posed to do.”

Com­pa­nies with web appli­ca­tions can test them by inten­tion­al­ly deploy­ing mali­cious pay­loads at them.

Pre­vo­ty also can run secu­ri­ty analy­sis to dis­cov­er flaws in the source code—while code lines are being written—to address vulnerabilities.

The real­i­ty is that those tech­nolo­gies find a lot of prob­lems because, guess what, the soft­ware we write is real­ly com­pli­cat­ed,” he says.

Devil’s in devel­op­ment details

The secu­ri­ty prob­lem has been com­pound­ed by the evolv­ing nature of how online appli­ca­tions are devel­oped. In the past, com­pa­nies built their own appli­ca­tions in their own data cen­ters, where they con­trolled the servers and oth­er parts of the infra­struc­ture network.

But com­pa­nies are increas­ing­ly rely­ing on remote serv­er farms and oth­er infra­struc­ture host­ing companies—such as Ama­zon Web Ser­vices and Cloud Foundry—to host appli­ca­tions and data. “We’re using third-par­ty com­pe­tence in our appli­ca­tions that we know noth­ing about,” Pre­vost says. “And we’re just going faster and faster with this old dev upstream. So it makes it very, very hard.”

Once web appli­ca­tions are devel­oped and host­ed on serv­er farms, com­pa­nies often then turn to tra­di­tion­al means of cyber­se­cu­ri­ty that focus on out­side intru­sion, such as fire­wall and data­base activ­i­ty monitoring.

Inher­ent risks in cloud computing

While such tools are gen­er­al­ly effec­tive, the open­ness of cloud-based web appli­ca­tions makes them vul­ner­a­ble. Shop­ping carts on e-com­merce web­sites aren’t going anywhere.

That’s the avenue now that the bad guys are using to get into the data­base,” Pre­vost says.

I real­ly don’t think that the (intru­sion) activ­i­ty lev­el is ever going to go down, espe­cial­ly giv­en that the abil­i­ty for some­one real­ly any­where in the world to access your site is so easy and con­ve­nient,” he says.

But dam­age can be lim­it­ed. Com­pa­nies with web appli­ca­tions may be bet­ter off focus­ing on pro­tect­ing areas that are of the high­est val­ue instead of pour­ing resources into try­ing “to fix every­thing,” he says.

Acces­si­ble pro­tec­tion tools

This cal­cu­la­tion is par­tic­u­lar­ly cru­cial as the pres­sure on enter­pris­es to code and deploy their web appli­ca­tions quick­ly height­ens. Prevoty’s prod­uct allows enter­pris­es to auto­mate the process of adding pro­tec­tions into soft­ware codes that the devel­op­ment team should put in the first place, Pre­vost says.

Devel­op­ers can access Prevoty’s library and sim­ply clip the pro­tec­tion tool into the code being writ­ten. It’s easy enough that some­one in the oper­a­tions team, respon­si­ble for actu­al­ly push­ing the appli­ca­tion out into the deploy­ment infra­struc­ture, could do the clip­ping after the soft­ware is written.

What are some mit­i­ga­tions or com­pen­sat­ing con­trols that we can put in place that will make it hard­er for the bad guys to get our data,” Pre­vost says. “Find the things that are the most valu­able to the orga­ni­za­tion and put the appro­pri­ate lev­els of con­trols in place.”

More sto­ries relat­ed to web apps:
Cor­po­rate use of cloud apps spikes risk of breaches
Mobile apps put per­son­al infor­ma­tion at risk
Think twice before allow­ing apps to access infor­ma­tion on your phone