Hardening of web and mobile applications

Internet connectivity has become the lifeblood of businesses. During the Covid-19 pandemic, this connectivity has allowed many organizations to remain operational, even when their physical offices have been closed due to containment measures. Web storefronts have benefited from the rise of e-commerce and organizations have accelerated digital transformation initiatives to make business processes seamless.

Organizations with highly integrated web and mobile apps have weathered the economic upheaval caused by the pandemic better than those with less sophisticated online presences. But web applications are an easy target for malicious actors to penetrate corporate networks, steal data, and inject ransomware.

A recent survey of global security decision makers conducted by analyst firm Forrester indicates that web applications are the most common vectors used by attackers to target IT systems. According to the study, improving application security capabilities and services over the next 12 months is the top priority for 28% of global security decision makers.

Organizations must protect internal applications, web applications, and external application programming interfaces (APIs) that connect internal applications to the outside world. They must prevent these external interfaces and web front ends from being compromised, and if an attack is successful, a business continuity policy must be in place to determine the level of downtime acceptable to the business.

Secure coding

Too many websites require users to register a username and password. While security professionals encourage people to use different passwords — and web browsers automatically generate and store a strong password — many people opt for an easy-to-remember password. Often they will use the same password to authenticate to multiple websites. As such, the user’s password is not only easy to crack, but a hacker can also try to use the same password to target other sites.

The OAuth API is one approach available to websites that want to offer authentication without requiring users to set up a new password. It uses back-end authentication from Facebook and Google, but the cost of this convenience is that Google and Facebook will share some of the user’s information with the organization that runs the website.

The Open Web Application Security Project (OWasp) has created a set of guidelines as part of its Application Security Auditing Standard. In its recommendations, OWasp recommends using the latest secure user authentication methods, such as multi-factor authentication (MFA), biometrics or one-time passwords. Other recommendations include strong encryption to prevent data loss, access controls, and the sanitization and validation of user-generated content, such as data the user is expected to enter into an input box on a web or mobile application.

The standard states that developers of web and mobile applications must implement input validation checks. According to OWasp, 90% of all injection attacks occur because an application does not properly verify input data. Version 4.0.2 of the Application Security Verification Standard states, “Length and range verifications can further reduce this problem. Integrating secure input validation is necessary during application architecture design sprints, coding, and unit and integration testing.

This is because application developers must write code in a way that prevents the use of malicious input data as an attack vector. In an injection attack, carefully crafted data is used to cause an error that causes the application to execute the data as another program. Such an attack can be avoided if the programmer writes software to handle input data in a way that checks what data it is expecting. For example, if it expects a number, it should reject anything that doesn’t make sense. Likewise, addresses and dates of birth have standard formats, which can be verified.

One of the many challenges programmers face when trying to write secure code that prevents injection or buffer overflow attacks is the fact that modern software development is very heterogeneous. “If you really want to stop them, you have to make it impossible to write a buffer overflow or injection attack,” says Owen Wright, managing director of insurance at Accenture.

But, while most software was coded by hand, Wright says modern software development methods rely heavily on frameworks, libraries, and integration with third-party cloud services. Those provided by large commercial vendors may have large teams dedicated to secure coding, he says, but “some well-used open source libraries are only managed by one or two people. [and] everyone relies on them and assumes [they are] well maintained”.

Beyond coding, Wright notes that organizations are beginning to take a “left-wing” approach to IT security, where developers take more responsibility for producing secure code. “Developers aren’t taught with a security mindset — they’re developers first,” he says. “Organizations should focus more on security awareness.”

But there is a constant tension between speed, cost and quality. Wright believes that moving to a DevSecOps model for software projects encourages developers to fix problematic code sooner than they would if they depended on penetration testing after the application was submitted. This is one of the principles of transferring responsibility for secure coding to the developer.

In Wright’s experience, this is much cheaper than fixing security errors later in the software development life cycle. He suggests organizations create templates to secure applications that can then be deployed on subsequent projects.

Web Application Protection

Application layer attacks, also known as Layer 7 or L7 attacks, attempt to overload servers by continuously sending legitimate HTTP requests.

According to meinternet infrastructure giant Cloudflare, the underlying effectiveness of most Distributed Denial of Service (DDoS) attacks stems from the disparity between the volume of resources required to launch an attack versus the volume of resources required to absorb or mitigate one. He says an application layer attack creates more damage with less total bandwidth.

For example, if a user wishes to access a web service, such as Gmail, or perform a web transaction on an e-commerce site, the server receives a request from client software running on the user’s browser or device and must then make a database query or call an API to fulfill the user’s request.

Cloudflare notes that a denial of service attack takes advantage of the fact that there can be a disparity in the server’s ability to accomplish this task when many devices target a single web property. “The effect can overwhelm the targeted server. In many cases, targeting an API with a Layer 7 attack is enough to take the service offline,” he warns in an article on server-level security. application.

by Gartner Magic Quadrant for Web Application Firewalls The report, published in October 2020, predicts that by 2023, more than 30% of publicly-facing web applications and APIs will be protected by web application and API protection (WAAP) services in the cloud. By 2024, Gartner predicts that most organizations implementing multicloud strategies for web applications in production will use only WAAP cloud services.

Public Cloud WAFs

by Gartner Magic Quadrant for Web Application Firewalls report names Akamai and Imperva as “Leaders” in Web Application Firewall (WAF).

Cloudflare, Fortinet, F5, and Barracuda make up Gartner’s challenger quadrant. Along with the two leaders, these companies tend to be on the shortlist when IT decision makers consider their options in the WAF market.

DDoS protection service provider Radware and startup WAF Signal Sciences are in Gartner’s “visionary” quadrant, recognizing innovative use of technology in their product offerings. Gartner notes that Radware uses machine learning in its web application firewall to combat threats, while Signal Sciences focuses on securing cloud-native applications.

Public cloud providers also offer web application firewall functionality as part of their platforms. However, Microsoft Azure and Amazon Web Services (AWS) are considered “niche” players by Gartner.

For example, the Magic Quadrant report notes that AWS WAF provides basic bot protection through the AWS-provided managed ruleset and infrastructure protection capability. However, the report authors caution that AWS WAF lacks many advanced application-specific bot protection features found in competing products, such as device fingerprinting, user behavior detection, and JavaScript challenges.

Regarding Microsoft’s offering, Gartner says Azure WAF is being made available in more Azure regions. The report highlights Microsoft’s work to integrate Azure WAF with other Azure services. As an example, Gartner notes that Azure WAF now natively integrates with Azure Kubernetes Service Ingress Controller for microservices protection, can send events to Microsoft’s Azure Sentinel for integrated monitoring, and makes better use of infrastructure Microsoft’s technique for blocking known bots.

The Gartner report also mentions new features in Google’s Cloud Armor WAF and DDoS mitigation service, which is available on Google Cloud Platform (GCP). The report’s authors say Google has added “useful features”, such as IP checklists and geo-IP filtering, predefined rules for blocking cross-site scripting (XSS) and SQL injection (SQLi) , and creating custom rules. According to Gartner, Google is showing signs of wanting to expand its capabilities.

Casey J. Nelson

Synagogues use mobile apps like Venmo to collect tzedakah – J.

Mobile apps: helping businesses connect with their customers

Fintech puts insurance on mobile apps from Indonesia to Vietnam

Bengaluru Auto Unions to launch its own mobile apps for ride sharing

Meta discovers 400 mobile apps to steal Facebook login credentials

Investall Announces Launch of AI-Powered Mandarin Chinese and Portuguese Website and Mobile Apps