11 million records have been compromised in 2016 with close to 350 data breaches until now. Banking, finance, small businesses, and startup sector suffers the most.
If we learned one thing f, it’s that hackers aren’t stopping. Last year, attackers have caused more than 8 hours of application and website downtime for several organizations. This year, it is getting worse.
Increased cloud adoption, frequent application changes, and limited security budgets in small companies should be backed by conclusive steps to stop hackers. To make it easier for CEOs, CIOs, CISOs and other professionals directly responsible for security, we have broken down the ways to securing the website in several categories.
Although we have listed many ways to protect the business from hackers, it is critical to know why you need to go through this list first.
Here are the key points that business owners should think about.
What’s the point: Website security is not a key business area. It will never generate revenue and most CEOs know little about it. Plus, they won’t spend millions and then time to hire a team, and to train them.
1. Securing the website and customers is less network security and more application security today. 70% of the cyber attacks happen on the application layer.
2. Application security is often misinterpreted as mobile app security by non-techies. Modern day websites cannot run without apps that run on browsers. These apps enable everything from shopping to messaging. In simpler words, all modern websites run multiple web apps.
3. Data breaches, distributed denial services, and even phishing attacks are more common in web applications than on network or physical layer.
4. Last year, 86% of the tested websites had at least one serious security issue that allowed hackers to attack.
5. Even if your developers follow secure practices, there is no security guarantee. Open source website code, plugins, ongoing code changes, all bring in a possibility of new weaknesses.
6. Website scanning solutions are getting increasingly popular, as they are fast and cheap. However, it can be ineffective as proficient hackers know how to hide the tracks.
7. Many security experts talk of OWASP 10 as the ultimate protection guide. Unfortunately, more than a dozen new vulnerabilities are disclosed every year. These didn’t exist before.
8. Security is not a business enabler. It doesn’t earn money for the business. However, the average downtime cost of a website is $5,600/minute with the loss of productivity, recovery, and stolen information.
9. An average CEO finds OWASP and web application security difficult to understand.
10. 47% of the developers do not have the authority to fix the vulnerability.
What’s the point: Cybersecurity war front has shifted to the application layer years ago and still most companies are unaware of how to proceed. Even if the weaknesses in web applications are found, it takes more than 1 to 4 months to fix vulnerabilities for various reasons.
1. Web Application Scanning: Most new-age companies and startups prefer continuous web application scanning to find out problems at every hour. Whenever the code is updated or any other change is made, scanning finds possible hacking points and reports it based on severity.
2. Penetration Testing: Where automated tools fail, penetration testing wins big. A security expert tests the website in the same way a hacker would. This will help you find logic issues within apps that scanning misses.
3. Development Tests: Development cycle has a dedicated phase for testing, which also includes testing for security issues. With tight deadlines and quick changes, most companies overlook development testing today, which they shouldn’t.
4. SSL Checker: Many data breach and hacking incidents also happen due to inapt browser-server communication. Having an SSL does not mean security, find out if you have the right kind of SSL certificate capable of protection.
5. Security Bulletin: More than a dozen never-heard-of application weaknesses are found every year. The number is huge for CMS, software, and operating systems. It is important that your team knows about the most crucial ones. We have recently developed a page to solve the problem.
6. Apache JMeter: Run performance tools on your server every once in a while. Compare the reports frequently and flag performance issues to be investigated by the security team.
7. Downtime Notification: Businesses lose $5,600/minute for downtime. Talk to your developers who can set email notification you top executive whenever the website goes down.
8. DDoS Alert Mechanism: Distributed denial of service attacks are common. A traffic surge binds the server and crashes the website for real users. Indusface Total Application Security can provide you counts of these attack on its portal.
9. OWASP Sheet: If you have a dedicated security team, it is best to cover OWASP sheet first. Find out if your apps are vulnerable to any of the OWASP 10 issues.
10. Mobile App Scanning: Mobile apps talk to the server same way web apps do. So if there are OWASP weaknesses there, hackers can exploit them the same way. Find them. Patch them.
What’s the point: Knowing that there is a problem is solving half of the problem. Most companies do not know of the vulnerabilities and weaknesses in their website. Make sure that something or someone is keeping an eye on existing and new issues that might arise.
1. Web Application Firewall: Patching application issues is delayed and difficult. Use a web application firewall to block attacks continuously. It covered the vulnerability and does not allow hacker to get into your apps and server.
2. Managed Web Application Firewall: Security experts say that a WAF is nothing less than a box if it is not updated and managed by a security expert. Use a WAF that’s smart and is updated regularly to block more than just OWASP issues.
3. Business Logic Flaw Blocking: Although this should be covered in managed protection, business logic flaws cannot be fixed or blocked until they are found first. You need penetration testing and then custom rules here.
4. Secure Sockets Layer Certificate: Get powerfully encrypted SSL certificates for you website. No technology that can replace the browser-server security.
5. Layer 7 DDoS Blocking: Unfortunately, most automated WAFs cannot detect fake traffic surges that crash server. You should either get one or invest separately in a DDoS blocking mechanism. Make sure that it’s not automated and offers security expert support.
6. Hire App Sec Guys: Most of the security budget goes to network and psychical layer security. If you have additional budget and time to manage an appsec team, hire them. An average appsec team includes 3-6 people for penetration testing, WAF management, custom rules and traffic analysis.
7. Fix Issues: Businesses take 193 on an average to fix serious web app issues. That’s over four months and enough for hackers. Finding and fixing problems is the best approach, a highly difficult one though.
8. Bounty Programs: Companies with deep pockets also like to host bounty where they invite hackers to test the website and pay outrageous amounts for found issues.
9. Security Awareness: Survey shows most developers get failing grades at application layer security. Do we need to say more?
10. Server Updates: Panama Papers Leak revealed that the company was using 2-year old CMS and server operating system. Keep the updates rolling. Half of the problems can be solved here.
1. Don’t have time to look at every vulnerability discovered in some part of the world. Stay updated one the ones that matter the most for your website. You can also subscribe to the bulletin. For simplified breakdown and effects of application security issues, you should subscribe to the
2. For simplified breakdown and effects of application security issues, you should subscribe to the Indusface Blog. Scroll to the end and add your email address.
1. AppTrana: New-age companies opt for scanning, penetration testing, WAF, custom rules, and security expert support, all at once. Your website will not anything else for app sec
2. It acts like the complete application security solution with your own dedicated team to find and solve the problem.
3. Free Plan: Free trial for 14-days gives a complete idea of how it works. That’s like $1500 worth of usage, 70+ hours or expert support, and no obligation to pay or buy.
4. In the trial period, how can measure the overall appsec difference in terms of attacks blocked, vulnerabilities found, and more.
5. What does it do: Take the free guided tour to understand what your website security is missing.
6. You can also read about it in detail here.
7. Research Team Backing: Indusface Research Team works with 800 global companies, which is continuously working to find new issues and solve them. Point being, they already know how to detect issue and block it from damaging your website.
8. DDoS Security: There is no way to detect complex DDoS, unless the traffic is monitored by a security expert. Total Application Security gives you feed on these attacks and blocking status.
9. The Expert Angle: Made changes to the website, want to test it? Need custom rules to block attacks? Don’t understand something, need to call someone? Total Application Security covers that.
10. Simple Scan + WAF: For considerably smaller businesses, it is wiser to get web application scanning and web application firewall as a package that helps you detect issues and block hackers.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.