Digitale Transformation

4 classic fallacies with regard to Web Application Security

Although it is now widely known that web applications are a popular gateway for hackers, some misinterpretations still exists even among experienced administrators. Airlock provides tips in which areas a rethinking to the benefit of safety is urgently needed.

23 Feb. 2017

Assumption 1: Our web applications do not allow any access to our systems.

Web applications, in particular, offer hackers a variety of approaches to data theft and are therefore their preferred targets. It’s not surprising as these applications are by definition an electronic interface to data and transactions. One of the biggest misunderstandings here is that in case of a successful attack, only the data of the web application itself is in danger. However, all systems and interfaces connected to the application are also potentially affected. Effective protection against unauthorized data access is provided by Web application firewalls (WAFs) between users and the web application, which only allow valid URLs and thus protect backend systems from illegal access.

Assumption 2: The security of web applications must be ensured at the time of development.

Of course, application developers can incorporate security aspects into the development. Later on, the application is part of a more complex IT landscape, which the developer can no longer influence. In addition, developers can only take into account the risks known at the time of development.

Although software updates and new application versions are taking remedial action, the security precautions can often not be upgraded quickly enough. In order to react quickly and securely to unexpected threats, pre-installed security measures of web applications should be combined with an upstream WAF. Unfortunately, often useful measures in the application development and the use of a WAF are played against each other. However, companies must recognize that only the combination of both leads to an effective and effective protection.

Lösungen

Assumption 3: We encrypt the entire traffic with SSL (HTTPS) and that is good enough.

The SSL network protocol ensures secure data traffic between the user or web browser and the server, not the protection of the server itself. Hackers also use this protection. Their attacks get "safely" and encrypted to the corporate web server. In order to detect these attacks early enough, SSL-encrypted connections must end at the latest at the company border - powerful WAFs provide the necessary control at this point.

Assumption 4: Our systems are always patched and we run an automatic scanner regularly, so everything is safe.

Automatic scanners provide an overview of vulnerabilities in IT enterprise, but they do not recognize most attacks on web applications. Despite a positive scan result, hackers can have invaded the Web application without any warning. In order to uncover targeted data theft, it is recommended to carry out a professional penetration test.

Digitale Transformation eCommerce CEBIT RSS Feed