Web Application Security Common Misconceptions
Businesses, irrespective of their industry, are now deploying web applications to deliver their products and services efficiently. When a web application is being deployed, the development team tries to ensure that a web application has minimum time to market possible. Moving to agile development is already not smooth sailing, and on top of that, accommodating security aspects without slowing down the development process is an altogether different obstacle.
After working with hundreds of clients, we have come to an understanding that the decision-makers of businesses have many misconceptions about web application security. In this article, we debunk these myths to ensure that the decision-makers can make the right decisions when it comes to the technical security of their organization.
1. Hackers only target big organizations and popular applications.
So often, we have seen that many startups, and small and medium-scale businesses believe that they do not need sophisticated security measures as they are not a big organization. On the contrary, the statistics given here clearly show that around 43% of the cyber attacks are aimed at smaller organizations intentionally. Also, small businesses have ended up becoming a victim in 70% of data breach incidents.
2. A firewall is enough.
Absolute security is not possible. No business can state that they are absolutely secure, and no attacker can hack their applications or infiltrate their network. As the security systems are getting sophisticated, so are the attackers and their attack techniques. Without a doubt, a web application firewall, or WAF, is efficient in providing a significant level of protection from the attackers from common attacks such as SQL injection, XSS, etc. However, they cannot guarantee that your website is not going to be hacked.
3. Penetration testing is sufficient.
When a business conducts a penetration test, many weaknesses in its applications and networks are found which could be exploited by the attackers. These vulnerabilities are then addressed to ensure that the risk is minimized. However, you shall never underestimate the attackers as they might already be a one step ahead of you. Penetration tests shall be conducted regularly, and the organization’s security program must be kept in check so that security is a continuous process.
4. Applications are safe if the network is safe.
Security controls such as anti-virus and anti-malware applications, firewalls, intrusion detection, and prevention system (IDS/IPS), etc. are often construed to be sufficient. It must be understood that these are network perimeter security solutions and threats such as Account Takeover (ATO) and SQLi can allow an attacker to bypass them easily. These advanced threats essentially allow an attacker to exploit the loopholes in an organization’s network perimeter. Without any doubt, the above-mentioned controls are essential, but they are not entirely comprehensive.
5. Before the application is launched, we do not need to worry about its security.
Considering how the threat landscape in our cyberspace is evolving, security has become a necessity in all the stages of development. Incorporating security in DevOps environment is called as DevSecOps, and an organization must strive towards implementing the DevSecOps principles so that the chances of a vulnerability being discovered after a web application is deployed are kept at a minimum.
6. We use third-party software for our business operations. Hence, web application security is not a concern for us.
As stated, absolute security is not possible, and the same holds true whether a web application is developed inhouse, or it is a third-party application. A third-party application can contain vulnerable code, and if such applications are cohesively integrated into your organization’s environment, successful exploitation of existing vulnerabilities may open the doors to your organization’s highly confidential data.
7. Software security is not a problem for us.
Many decision-makers often believe that since they have not suffered a data breach so far, their applications are highly secure. They believe that their applications have matured in terms of security, and hence, it is not prone to cyber-attacks. This belief puts breaks on continuous security improvements, which is definitely not a good state to be in for the modern-day businesses. Again, absolute security is a myth. Security is a continuous process.
8. Since we comply with all rules, regulations, and laws, we are secure.
It is true that an organization puts in plenty of efforts to comply with appropriate rules, regulations, laws, standards, etc. However, mere compliance with the requirements is not enough. There is still a significant amount of work needed to be done to achieve the highest level of security possible.