There's something in the water with web application security.
Last week, Capital One disclosed a data breach caused by a web application misconfiguration. Equifax is still cleaning up after its 2017 data breach, the result of an unpatched bug in a web application.
Flaws in web applications are abundant and easy to manipulate, making them a target for bad actors. Each new application or device adds to an already healthy pool of vulnerabilities and risk.
Companies have their own access management to augment their cloud provider's security services.
AWS has security services but enterprises have access management and manage access security brokers that bridge on-premise access to the cloud.
For a long time web application firewalls (WAFs) were good at protecting a company's perimeters and blocking all "known bad requests," David Baker, CSO and VP of operations at Bugcrowd, told CIO Dive. Traditional WAFs have to detect requests with "potentially infinite permutations" while still operating at internet scale.
While it's not time to ring the bells of web application firewalls' downfall, "it's important to realize is that nothing is a cure-all solution," Baker said.
Protecting the perimeter is now a low bar for security. Securing the walls around data has taken priority over securing the data, Ameesh Divatia, co-founder and CEO of Baffle, told CIO Dive. Operating under a "state of constant compromise" is the new approach to security.
Some critics began blaming AWS for Capital One's intrusion, but the infiltrator used a web application firewall (WAF) misconfiguration likely sitting on a Capital One server.
"No cloud vendor, including AWS, will take responsibility for securing a customer's assets because there is always the danger of misconfiguration," said Divatia. There is no guarantee that a cloud provider will pick up security in its entirety.
Instead, cloud customers have to ensure data is protected before migration.
AWS has security training for customers, outlined by the Shared Responsibility Model. Providers own the security "of" the cloud, and customers own the security of the data "in" the cloud.
AWS is responsible for the integrity of its overall infrastructure and the customer handles their necessary configurations.
AWS' "job does stop — officially — at providing the technology," said Davis.
Common WAF intrusions
WAF is a basic security practice and its principles have largely remained the same over the years. The forms WAFs take — appliance, server plugin, or filter — are customizable but require maintenance.
WAF security is comparable to building regulations, said Chris Davis, VP product management and planning at Caveonix, and former AWS security architect, in an email to CIO Dive.
"The size of the structure, amount of money involved, purpose of the structure, materials involved, location and so many other factors result in very different housing structures," said Davis.
While all the factors might be safe and meet code requirements, it "doesn't mean that they are all equal," he said. "And it doesn't mean that mistakes weren't made — and they probably were made."
Web application vulnerabilities are the top reported security weaknesses of the past year because they're easy to find and readily available on common code, Nadav Avital, threat analytics manager at Imperva, told CIO Dive.
Nascent vulnerabilities are often the open door that leads to massive data breaches, according to Bugcrowd.
Web application vulnerabilities come in several forms and hackers can exploit them in numerous ways, Bugcrowd said, including:
Reflected cross-site scripting (XSS)
Stored cross-site scripting
Using broken access controls for insecure direct object references
Broken authentication and session management for privilege escalation
Action-specific cross-site request forgery
Resetting passwords due to failing to invalidate a session
Email spoofing because of a mail server misconfiguration
Bypassing authentication due to broken authentication or session management
Web applications vulnerabilities offer attackers a buffet of execution strategies.
Hackers have access to public exploits for more than half of web application vulnerabilities, according to an Imperva report. More than one-third of the weaknesses lack a solution.
99 problems and WAFs are just 1
While automated security controls are a company's best line of defense when it comes to web application vulnerabilities, many companies lack the resources to properly test software with penetration testing or WAF services, Eyal Wachsman, CEO of Cymulate, told CIO Dive.
WAF's can miss attacks when updates are irregular because it's difficult to deploy patches without disrupting services. WAF default settings are also left untouched, which allows for monitoring peculiar activity, but not blocking it.
If a WAF lacks oversight or protection, it can attract more malicious behavior.
"Wherever attackers find success with a flaw, they will constantly try to repeat execution and then move onto to the next discovered vulnerability," said Wachsman.
Hackers have a long list of execution strategies when it comes to easy-to-find cross-site scripting (XSS) vulnerabilities. XSS weaknesses are typically open source, which makes finding them even simpler, said Avital.
Catching all vulnerabilities in web applications can feel like a fool's errand because so many of them exist without a solution.
"Web applications are ubiquitous, even more so with the advent of the cloud and IoT," said Baker. Companies are consuming local applications, like Microsoft Office, as web applications through browsers.
Regardless of where a company's data sits or travels, every introduction of a new application increases the number of targets hackers have. Common code is recycled, which makes preventing injection attacks challenging.
Attacks like XSS have "nearly boundless permutations," said Baker. On top of a nearly infinite supply of malicious scripts, "there's also an awareness issue."
Because of the "always on" stance that is expected of businesses, developers feel the demand to deliver products fast. As a result, the testing phases can suffer.
Developers, unaware of the categories, "improperly trust user inputs," Baker said.