Is Stripe prone to hacking

Application Security: How do I protect my applications?

Applications have become hard to imagine our lives without - this is true not only in the private sphere, but also in the business context. This development is underlined by a study by McAfee (1) with the result that companies have an average of 464 different applications in use. Of course, this number has to be considered in a differentiated manner, since the study also took into account very large companies with over 50,000 employees (here the average number of applications was 788).

But even less large companies with up to 1000 employees use an average of 22 different applications. It is also clear that this number will increase in the future. Because innovation pressure in combination with the speed in the development of applications due to DevOps and other agile approaches are a strong driver of this trend.

In addition to the prospect of increased corporate success, applications must also be viewed and evaluated from an IT security perspective. Because they are a popular and frequent target for hacker attacks. According to the “2020 Global Threat Intelligence Report” (2), almost 55% of all attacks were targeted at applications. This number illustrates the relevance and urgency of application security and that is exactly what this blog post is about. I would like to note that it does not claim to be exhaustive. Rather, I will shed light on various approaches and give food for thought on how application security can be implemented and increased in companies.


Patching

Patching is essential and should be carried out promptly for all applications and always kept up to date. I'm not giving away a secret, but the reality is often different. A study by ServiceNow (3) found that 60% of hacker attacks in 2019 involved vulnerabilities for which a patch was available but not applied. There are many reasons for this: In addition to the fact that patching is time-consuming, according to ServiceNow, 76% of those surveyed stated that there is no common and coordinated view of the individual teams on the status of the applications in the company. 72% of respondents also said they had a hard time prioritizing the pending patches. This can be remedied by automated tools and managed services that support you in patch and vulnerability management.

Security testing

Would you like to determine the current security status of your applications? Then you should test them regularly or, even better, have them tested. Manual penetration tests by experienced experts offer a good way of checking applications for their vulnerability to hacker attacks. In a controlled and secure framework, trained pentesters try to attack your applications using the methods of criminal hackers. The result is a detailed report on the vulnerabilities found and an assessment of the extent to which these could be used by criminal hackers. In addition, the weak points are assessed in terms of the risk to the company and the effort required to remedy them. With this information, IT teams in companies can prioritize and implement the appropriate measures.

However, a pentest is only a snapshot of the security status, which can change just as quickly in times of DevOps and fast development cycles. A more agile testing approach is recommended, especially for applications with a high number of changes and updates, in order to identify security gaps early and quickly. Continuous Security Testing starts right there by combining automated and continuous security scans with manual penetration tests. The 24/7 testing of your applications has the advantage that weak points can be identified and rectified very quickly and brings security in line with agile DevOps methods.

Protection of web-based applications

Web applications have the property that they are usually available 24/7. On the one hand, this is an advantage, as your customers and partners can also use your services outside of traditional business hours and, in the best case, contribute to sales growth. On the other hand, it is also a risk, as this also applies to hackers with malicious intentions who want to harm your company. This is underlined by the latest figures from Verizon's 2020 Data Breach Investigations Report (4). 43% of all data losses due to a hacker attack result from attacks in which web applications were involved. That is more than twice as much as in 2019.

A web application firewall (WAF) offers protection against attacks at the application level (layer 7) by examining all data traffic that arrives at a web application and that originates from a web application. Malicious requests, such as SQL injection attacks or attacks via cross-site scripting, are filtered or blocked.

With regard to the level of protection of a WAF, there are differences that you should be aware of and compare with your requirements. Protection against the OWASP Top 10 offers you basic protection. OWASP is a non-profit organization that lists and publishes the 10 most common security risks for web applications at regular intervals. For more comprehensive protection, WAF solutions with additional rule sets and additional security features such as geoblocking, bot mitigation or DDoS protection are available.

In addition to the features of a WAF, you should also think about the management of your solution. For efficient protection, the rules must be individually adapted to your applications and updated regularly. Changes and updates to applications also result in adjustments to your WAF configuration. Dealing with false positives as well as monitoring and incident management are time-consuming and require a certain amount of expertise. If you cannot or do not want to implement this with your IT team, there are managed solutions on the market for this. Cyber ​​security specialists take over the individual setup and management of the WAF. And a Security Operations Center (SOC) takes care of monitoring and incident management.

DevSecOps

While the approaches described above mainly relate to existing applications, DevSecOps starts at the beginning of the development of applications. Because security should be an integral part of the entire life cycle of your applications and not a subsequent add-on.

DevSecOps is a further development of the DevOps approach, which integrates the topic of security as a cornerstone in the agile development strategy of your applications right from the start and makes it the topic of all teams involved in the development process. That sounds good at first, but is often not that easy to implement in practice. In addition to tools for automation, which are essential for efficient DevSecOps use, the basic idea must above all be anchored in your corporate culture and in your existing teams. One possibility are workshops in which experts train your team with regard to a DevSecOps mindset, but also integrate tools and practical methods such as continuous integration, continuous delivery, continuous monitoring or infrastructure as code into your processes.


My conclusion:

Application security is an immensely important and central topic - this is impressively demonstrated by the figures and studies cited in this article. Accordingly, you should make it a high priority in your company. In my opinion, it is important to always place individual measures in the context of a holistic security strategy that is specially tailored to your company and your requirements. Also think about how and to what extent security strategies and measures can be developed and implemented in-house in your company. Could it make sense to work with experienced cyber security specialists? This can save resources that can be used for your actual core business and for the further development of your company.

Further information:

Webinar: DevSecOps - What, Why And How - from overview to detail
White paper: Cyber ​​security as a success factor for companies - with a checklist for your strategy
Info sheet: Claranet Penetration Testing - for everyone who wants to check their status quo NOW
Security, data protection and managed security at Claranet - tips and reinforcement from the professionals

Are you interested in a 1: 1 exchange with our experts? Please use our contact form and write to us with the keyword "Cyber ​​Security".

Contact

Swell:

(1) https: //www.mcafee.com/blogs/enterprise/cloud-security/every-company-is -....
(2) NTT, 2020 Global Threat Intelligence Report, https: //hello.global.ntt/de-de/insights/2020-global-threat-intelligence -...
(3) https: //www.servicenow.de/company/media/press-room/research-shows-cybers ...
(4) Verizon, 2020 Data Breach Investigations Report, https://enterprise.verizon.com/de-de/resources/reports/dbir/