Evolving threats put applications at risk. Robust web application security can help prevent compromise before it happens. Not sure where to start? Our protective primer has you covered.

What Is Web Application Security?

Web application security focuses on the reduction of threats through the identification, analysis and remediation of potential weaknesses or vulnerabilities. While the bulk of this process occurs in design and development phases, it’s also an ongoing endeavor that follows applications throughout their lifecycles to reduce overall risk.

Why Does This Matter?

Because all applications are at risk. According to a 2021 research report, 100% of commercial applications studied contained at least one at-risk open-source component. Even more worrisome was that 85% included “critical” weak points that could provide entry paths for threat actors.

The speed and scope of development make this issue worse. To keep pace with rivals and deliver improved customer service, many enterprises now rely on a mix of third-party developers and readily available, cost-effective open-source components. The result is a fragmented application landscape that often puts speed over safety.

Web app security is also critical because the sheer volume and variety of applications deployed by businesses make it challenging to monitor risk at scale well. When it comes to volume, enterprises deployed an average of 175 apps in 2020, while smaller companies used 73. In terms of variety, 94% of enterprises now use apps in the cloud. Add in the recent shift to remote work and the scope of applications expands even further, moving out of offices and into employees’ homes.

This landscape offers an unmatched bounty for attackers: With so many apps in so many locations — and most using at least one open-source component — it’s possible for them to find multiple entry points that provide both vertical and lateral network movement. What’s more, the lack of insight into disparate environments often leaves companies in the dark when it comes to who’s accessing their apps, why and for what purpose.

The State of Web App Security in 2021

According to The State of Application Security, 2021 report from Forrester, applications remain a key attack vector. Other issues such as stolen credentials and DDOS attacks are on the rise. However, applications are still the primary source of compromise.

As noted above, the state of web app security in 2021 has also been influenced by rapidly changing crisis conditions. Many companies with no history of remote work — and no plans to make the move — suddenly found themselves faced with full in-office shutdowns and no idea of when they might be coming back.

This led to a focus on function over security form. That extends from home office access to critical IT services to the use of virtual private networks and non-approved app ‘workarounds’. In general, enterprises found themselves dealing with more complex application landscapes. At the same time, they were largely lacking the infrastructure to manage and monitor these applications at scale.

It’s fair to say that the state of web application security in 2021 remains in flux. To keep some order, CWE has listed 25 of the most common application vulnerabilities this year. Here’s a look at the top 10:

  • Out-of-bounds write (up one spot from 2020)
  • Cross-site scripting (down one spot)
  • Out-of-bounds read (up one spot)
  • Improper input validation (down one spot)
  • OS command injection (up five spots)
  • SLQ injection (no change)
  • Use after free (up one spot)
  • Path traversal (up four spots)
  • Cross-site request forgery (no change)
  • Unrestricted upload of file (up five spots).

Also worth mentioning is threat number 11 on the list — missing authentication for critical functions — which rose 13 spots from 2020.

Types of Testing

Web application security testing forms the front line of app defense. Common types of testing include:

1) Static application security testing (SAST): SAST allows developers to scan source code for potential vulnerabilities. They can carry it out manually or via automation. It’s one of the first testing approaches enterprises use, owing to its speed and simplicity. SAST provides real-time analysis as developers create code, enabling them to identify and remediate issues before apps move into production.

2) Dynamic application security testing (DAST): DAST, meanwhile, takes an outside-in approach by attempting to find and exploit front-end vulnerabilities using test attacks. DAST scanners operate outside of applications and can help deliver results right away without the need to access source code. It’s worth noting, however, that DAST tests aren’t able to pinpoint the exact location of code risks.

3) Penetration testing: Also called pen testing, this approach is often used to pinpoint openings in critical apps. Pen testers are often security experts from either inside or outside the system tasked with acting like attackers. To do so, they use popular tools and techniques in an attempt to compromise apps and access key data. While enterprises know when these pen tests are taking place, they’re not given any details on the specifics of the attack, in turn creating a more realistic setting. While it’s possible to conduct pen testing in-house, this can lead to potential bias on the part of testers who are familiar with existing structures and may assume rather than test. Reputable third parties, meanwhile, will often provide more robust attack frameworks.

4) Runtime application self-protection (RASP): RASP is built directly into software. If RASP tools detect potential threats as apps are called and executed, they can both shut down open sessions and notify staff for follow-up.

Exploring Web Application Security Solutions

While there’s no one-size-fits-all answer when it comes to cloud application security and web application security solutions, enterprises are often best-served by tools that include key components such as:

  • Defense by design

The best defensive approaches unify people, processes and tech to ensure security is an integral part of every step in the development lifecycle.

Shift-left processes move defense earlier in the development process and make it possible for staff to address common issues without expensive escalation. The result is a better defense that can both reduce costs and improve compliance.

  • Process automation

From SAST to DAST to RASP, automation is critical to ensure app vulnerabilities are quickly identified and remediated. Best-of-breed solutions should include robust security integration and automation across the entire development pipeline.

  • Component-based protection

Apps don’t exist alone. Along with processes that help pinpoint issues in development and design, enterprises need solutions that include offensive security frameworks, comprehensive data protection and proactive cloud application monitoring to deliver complete visibility.

Bottom line? Robust web application security is critical for enterprises to reduce risk and proactively improve their application landscape.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today