Recently we had the disclosure of some more data made available by Statista that shows that our country was the most affected by attacks on web applications in 2019.
Certainly, this type of data leads us to question the security of our web applications and try to understand why we still have so many applications being made available with already well-known vulnerabilities.
Therefore, we will try to put some points that can be observed when we deal with the security of web applications and with that try to offer more information and questions on the subject.
Web Web application attack number grows
One point that is always interested to keep in mind is that the known statistics are that 70% of web applications have security problems and are at risk.
Therefore, what makes a web application to be in this statistic is not only the failure itself, we have to understand that motivation and technical knowledge are strong factors.
As we can see in the image below, Brazil was the country most affected by attacks in 2019, when we look at data from Latin America.
This data strengthens our understanding that we need to look better at our applications and seek to understand how security is being understood in companies.
However, to understand application security risks, we need to understand and understand attackers better and how they can choose their targets.
Types of Attackers
We can classify attackers based on 3 categories of knowledge, and also taking into account their motives and methods of operation.
Script kiddies: This term refers to attackers who are still amateurs, have little or no knowledge to develop their own tools.
Therefore, they often use and consume tools created by more experienced attackers. However, this does not mean that we should not pay attention to them, these attackers generally like to spread chaos, often generating denial-of-service attacks.
Black-hat hackers: This term refers to attackers with much more technical knowledge.
Primarily, the goals of this type of attacker are focused on a financial result. Their methods of attack are illegal or even unethical. Their knowledge is broader and they usually apply this knowledge to build customized attack tools.
White-hat hackers: These professionals are financially motivated but use their knowledge in order to carry out tests and work using legal and ethical methods.
They have the basic objective of identifying and helping to mitigate risks and vulnerabilities. They are commonly called when there is a need to test a solution or the security of an application.
Types of Attacks
In addition, we can classify attacks into two different categories, as follows:
Opportunity targets: Opportunity targets are used when the attacker randomly searches for a system that has a vulnerability known to him and when he finds it he starts looking for ways to exploit the vulnerability.
Defined attacks: In an attack with a defined target the attacker made his choice based on some criteria or value for him, for example, it is the system that holds some type of data or information. In this case the attacker is focused on finding flaws and / or vulnerabilities in a specific system.
Although you understand that your business or application is of little value to an attacker, it can still be the target of an attack of opportunity, or that can be used as a bridge to a targeted attack.
Also, if in your case your application has or works with data that can be considered valuable, it is certain that at some point an attempt to violate your system may happen.
The concept of “hardening” must be applied both to your system and the infrastructure that supports this application.
Though, why is web application security important?
We know that attacks on web applications are often used in conjunction with other types of attacks to achieve the desired success.
Even so, we have many companies that try to keep this type of subject reserved for small actions within their structures and we understand that this is not the best option within a larger scenario.
Here are some of our recommendations.
Prioritize security in the process: Whenever there is a thought of safe development within the development process, we will result in better and more resilient code to attacks.
This fact is due to the change in posture and culture of the development teams that start to use safe development concepts and practices within the development belt.
Prioritize application security over network security: Even though we understand the importance of an infrastructure, this should not be the only priority focus for implementing security.
Proportionally the number of failures that exploit an application’s infrastructure is less than the number of opportunities that can be discovered as software failures.
Therefore, prioritizing the security of a web application must be done in order to ensure that the entire application remains secure even with some infrastructure failures.
Eliminate the problem on sight: Before implementing a security solution in your application or infrastructure, see and assess whether this point is really the focus of the problem, sometimes the remediation effort may be placed at a point that will not solve the problem.
It is no use with each new cycle to always correct the type of vulnerability. It is clear that the problem is not the vulnerability but the lack of knowledge of the development team.
Empower your development team
The security of web applications is not only the search for software failures and the solution of such, the search for safer applications goes through a change in culture and posture of a development team.
We think that the most effective way to introduce this type of change is to educate and train all those who are part of some form of the development process.
This transfer of knowledge can be done either through training or through the transfer of experience between the team or even professionals. The creation of a Security Champions team can help in this process.
Discover that by changing the way we think about development, we also change the results received from the process. By placing the security thinking within the development pipeline, we will obtain codes that are safer and easier to maintain.
Good luck and evaluate if your application is safe!