What Is Web Application Security?
When we talk about Web Application Security, we usually mean the processes and technologies that we employ to protect applications and APIs that run on web servers from attack. For the most part, we focus on network based attacks, although supply-chain attacks are often in scope as well.
Attackers target web applications across the internet attempting to steal companies’ data, interrupt service, or perpetrate other cybercrime. The goal of the AppSec practitioner is to prevent these nefarious acts, while allowing all other actions to proceed unhindered.
Research suggests that over 70% of cybercrime focuses on application. Additionally, more and more organizations deploy applications, making them susceptible to this form of attack. Thus the importance of AppSec is continuously on the rise. This also means that the solutions for these challenges are always in flux, with new technologies and new integrations coming at a steady pace.
Today’s Web Application Security toolbox includes tools to ensure optimal application and infrastructure security posture, network security tools such as WAF (Web Application Firewall) and WAAP (Web Application & API Protection), identity security (e.g. MFA, single-sign-on), and anomaly detection tools such as UEBA.
How Attackers Operate
Attacks are a constant thing in this world, ranging from simple attacks that are non-targeted to complex bespoke operations that take advantage of the latest threat research. As applications evolve, attacks evolve as well. For example, with the rise of the use of APIs, many attacks have shifted to focus on attacking weaknesses of those APIs.
Attacks against web applications commonly include:
- Denial-of-service attacks
- Credential stuffing attacks
- SQL and NoSQL injection attacks
- XSS (Cross Site Scripting)
- Confused deputy attacks
- Cookie poisoning attacks
- Man-in-the-middle (MITM) attacks
- Insecure deserialization attacks
These attacks typically leverage mistakes in the application code, weaknesses in third-party modules, and poor infrastructure configuration, to enable access to resources that the attacker shouldn’t have access to.
How Do We Protect Ourselves?
Web Application Security requires a defense in depth strategy. These are the key components in a Web Application Security practice:
- Application Posture and Hygiene
Practitioners use tools to ensure that applications are configured to be as secure as possible by default, deploying least-privilege permissions, minimal network access to services, and proper cloud and/or kubernetes security configuration. These tools should operate both during deployment, preventing bad posture from getting to production, and at runtime, detecting drift or new risk.
- Perimeter Runtime Defense
Practitioners should also use tools to detect and prevent attacks at runtime. While posture helps limit your exposure, attacks will still come, and having defenses at the perimeter of your applications can help keep the bad guys out. Increasingly, however, it’s getting difficult to properly delineate the boundaries of a modern application, with it’s cloud deployment and 3rd party integrations.
- Workload Runtime Defense
These are often the next-generation tools that build upon the wisdom of the perimeter security technologies, but make them more relevant and effective for modern applications. These tools apply defense with the application, and between different parts of the application. The advantages here are that these solutions have much better context with which to make security decisions, and that they can provide a zero-trust approach within the application.