Thursday, August 13, 2015
‘The attack surface has widened even with our dynamic application security in place. I even suspect false positive errands,’ says the CISO. ‘It’s all zero-day attack vectors and increased application exposure. In fact, after POODLE CWE was made public, even average hackers have learned to exploit it,’ replies his colleague. What’s wrong with this usual conversation between application security personnel? Nothing exactly, but it gets difficult for the management and everyone else to understand what exactly these people are trying to say.
Web application security has emerged as one of the most crucial and yet misunderstood security domains due to the technicalities attached to it by default. However, one cannot shy away from the fact that web applications are and continue to be a major part of the security strategy. Given that 30, 000 websites are hacked every day, out of which 75% are compromised at the application layer, it’s about time that business get acquainted with some of the buzz words in the industry.
Vulnerability: Application vulnerability is a known or unknown weakness that hackers can use. Imagine a hole in the application that needs to be repaired and gives a chance to people that can get inside and access sensitive data. Insecure coding, unknown risks, updates, and business logics are considered as the top sources of application vulnerabilities.
Exploitation: When a hacker uses inherent application vulnerability to his advantage, it’s called an exploitation incidence. While finding vulnerability simply means that the coders need to patch it, exploitations are much more serious and indicate that people have accessed sensitive business data within the database at least once.
Attack Surface: It’s simply every risk that can compromise a web application. Attack surface takes into account all the possible vulnerabilities, unauthorized use, and other exploitation risks in general. So if someone talks about reducing the attack surface, it usually means application security testing, attack prevention, and virtual patching.
User Authentication: Although authentication is not necessarily an application-only buzzword, it is an integral part of the web application security. It’s basically a way of verifying an entry from user through trusted mechanisms. Using authentication measures, the application ensures that the user is who it claims to be. Types of authentication—Basic or single factor, Multifactor, Cryptographic.
OWASP Top 10: The Open Web Application Security Project (OWASP) is an online community. It is actively involved in open source web application security with members coming from varied educational organizations, corporations, and as individuals. The OWASP community releases lists of most critical web application security flaws through consensus and this list is widely trusted as a guide to test applications and keep them secure.
Read more: Click here
By Venkatesh Sundar, CTO, Indusface.
"Indusface has proved to be a valuable security partner with its Total Application Security solution. Their 'detect-protect-monitor' package handles security worries so we can focus on improving services for our customers. Vulnerability detection, attack blocking and near real-time reports are some of the key differentiators that we enjoy with them. The web application scanning and web protection combination ..."
"As one of the leading banks in India, securing application infrastructure is critical for us. Indusface’s Total Application Security package allows us to scan vulnerabilities continuously and prevent attacks. Indusface also provides the unique benefits of expert handling and tuning on custom rules with round-the-clock traffic monitoring and protection through on-premise appliances ..."
"Our complete ecommerce infrastructure is hosted on the cloud and we are glad to have Indusface as partner for web security. Due to their association with cloud service providers and prompt deployment options, Indusface was the preferred security choice. The on-demand and scheduled scanning helps us keep track of vulnerabilities that may otherwise damage our website or put customers at risk ..."