Mobile adoption, IoT and other data-intensive trends are growing and driving an influx of web applications to manage them, many which bypass normal security procedures by operating in the Shadow IT sphere. Knowing this, cyber criminals are exploiting these new entry points to threaten data privacy and hit pay dirt.
Web Application Vulnerabilities
Big data has become a revenue source, as well as a burden for companies trying to harness it. Implementing web applications like content management systems (CMS) and ecommerce platforms help turn that information and intellectual property into actionable insights.
Yet in a Verizon report, attackers found these implementations to be the perfect weak link, resulting in almost 20,000 incidents. For example, bad actors have been known to use CMS plugins as a foothold for deploying malicious software that launches a distributed denial of service (DDoS) attack or is repurposed as phishing.
Data-rich industries like financial services and retail should be most concerned are most vulnerable to web application attacks. With 69 percent of applications plagued by vulnerabilities and 95 percent of web application attacks financially motivated, there is a lot to lose.
Vulnerabilities in Java and .NET
Research found that “80 percent of tested software applications had at least one vulnerability, with an average of 45 vulnerabilities per application.” So do these vulnerabilities typically hide?
A comparison of Java and .NET, two of the most popular web application development languages, revealed the following insights:
- Java has a higher prevalence of cross-site request forgery.
- Java has a higher rate of injection flaws, which is commonly missed by traditional application security tools. If missed, attackers can pivot to a complete host takeover.
- .NET has more misconfiguration problems since it relies more heavily on configuration than Java.
Steps to Fight Data Breaches
As companies continue to “appify,” they need to consider preventive measures like two-factor authentication, timely patching and input monitoring. Without adequate security, enterprises will join their unsecured peers in paying on average $7 million per incident.
Businesses can avoid a messy breach aftermath by:
- Continuously monitoring the hundreds or thousands of web applications in the IT environment. The process should be automated and be able to scale.
- Blocking direct attacks at the source with web application firewalls.
- Preventing malware damage by:
- Patching vulnerabilities and fixing misconfigurations
- Choosing reputable and secure ad delivery networks
- Using scalable, always-on scanning tools
- Ensuring that scanning tools maintain a comprehensive, up-to-date signature library and triggers alerts instantly
- Leveraging behavioral analysis to detect new variants
- Using a single pane of glass security platform to visualize and report on websites and infections
Comprehensive Platform Makes Protection Easy
Protecting today’s diversified IT environment can be overwhelming. That’s why we recommend providing your customers with the advantages of a web application firewall; plus, an advanced threat protection (ATP) framework to integrate threat prevention, detection and mitigation.
The Fortinet ATP is powered by top-rated security components that work together as a unified security fabric. A value-added distributor of Fortinet solutions, Fine Tec is uniquely positioned to help you address the challenges that threaten your customers’ data privacy. Contact us.