Evolving threats put applications at risk. Robust web application security can help prevent compromise before it happens. Not sure where to start? Our protective primer has you covered.

What Is Web Application Security?

Web application security focuses on the reduction of threats through the identification, analysis and remediation of potential weaknesses or vulnerabilities. While the bulk of this process occurs in design and development phases, it’s also an ongoing endeavor that follows applications throughout their lifecycles to reduce overall risk.

Why Does This Matter?

Because all applications are at risk. According to a 2021 research report, 100% of commercial applications studied contained at least one at-risk open-source component. Even more worrisome was that 85% included “critical” weak points that could provide entry paths for threat actors.

The speed and scope of development make this issue worse. To keep pace with rivals and deliver improved customer service, many enterprises now rely on a mix of third-party developers and readily available, cost-effective open-source components. The result is a fragmented application landscape that often puts speed over safety.

Web app security is also critical because the sheer volume and variety of applications deployed by businesses make it challenging to monitor risk at scale well. When it comes to volume, enterprises deployed an average of 175 apps in 2020, while smaller companies used 73. In terms of variety, 94% of enterprises now use apps in the cloud. Add in the recent shift to remote work and the scope of applications expands even further, moving out of offices and into employees’ homes.

This landscape offers an unmatched bounty for attackers: With so many apps in so many locations — and most using at least one open-source component — it’s possible for them to find multiple entry points that provide both vertical and lateral network movement. What’s more, the lack of insight into disparate environments often leaves companies in the dark when it comes to who’s accessing their apps, why and for what purpose.

The State of Web App Security in 2021

According to The State of Application Security, 2021 report from Forrester, applications remain a key attack vector. Other issues such as stolen credentials and DDOS attacks are on the rise. However, applications are still the primary source of compromise.

As noted above, the state of web app security in 2021 has also been influenced by rapidly changing crisis conditions. Many companies with no history of remote work — and no plans to make the move — suddenly found themselves faced with full in-office shutdowns and no idea of when they might be coming back.

This led to a focus on function over security form. That extends from home office access to critical IT services to the use of virtual private networks and non-approved app ‘workarounds’. In general, enterprises found themselves dealing with more complex application landscapes. At the same time, they were largely lacking the infrastructure to manage and monitor these applications at scale.

It’s fair to say that the state of web application security in 2021 remains in flux. To keep some order, CWE has listed 25 of the most common application vulnerabilities this year. Here’s a look at the top 10:

  • Out-of-bounds write (up one spot from 2020)
  • Cross-site scripting (down one spot)
  • Out-of-bounds read (up one spot)
  • Improper input validation (down one spot)
  • OS command injection (up five spots)
  • SLQ injection (no change)
  • Use after free (up one spot)
  • Path traversal (up four spots)
  • Cross-site request forgery (no change)
  • Unrestricted upload of file (up five spots).

Also worth mentioning is threat number 11 on the list — missing authentication for critical functions — which rose 13 spots from 2020.

Types of Testing

Web application security testing forms the front line of app defense. Common types of testing include:

1) Static application security testing (SAST): SAST allows developers to scan source code for potential vulnerabilities. They can carry it out manually or via automation. It’s one of the first testing approaches enterprises use, owing to its speed and simplicity. SAST provides real-time analysis as developers create code, enabling them to identify and remediate issues before apps move into production.

2) Dynamic application security testing (DAST): DAST, meanwhile, takes an outside-in approach by attempting to find and exploit front-end vulnerabilities using test attacks. DAST scanners operate outside of applications and can help deliver results right away without the need to access source code. It’s worth noting, however, that DAST tests aren’t able to pinpoint the exact location of code risks.

3) Penetration testing: Also called pen testing, this approach is often used to pinpoint openings in critical apps. Pen testers are often security experts from either inside or outside the system tasked with acting like attackers. To do so, they use popular tools and techniques in an attempt to compromise apps and access key data. While enterprises know when these pen tests are taking place, they’re not given any details on the specifics of the attack, in turn creating a more realistic setting. While it’s possible to conduct pen testing in-house, this can lead to potential bias on the part of testers who are familiar with existing structures and may assume rather than test. Reputable third parties, meanwhile, will often provide more robust attack frameworks.

4) Runtime application self-protection (RASP): RASP is built directly into software. If RASP tools detect potential threats as apps are called and executed, they can both shut down open sessions and notify staff for follow-up.

Exploring Web Application Security Solutions

While there’s no one-size-fits-all answer when it comes to cloud application security and web application security solutions, enterprises are often best-served by tools that include key components such as:

  • Defense by design

The best defensive approaches unify people, processes and tech to ensure security is an integral part of every step in the development lifecycle.

Shift-left processes move defense earlier in the development process and make it possible for staff to address common issues without expensive escalation. The result is a better defense that can both reduce costs and improve compliance.

  • Process automation

From SAST to DAST to RASP, automation is critical to ensure app vulnerabilities are quickly identified and remediated. Best-of-breed solutions should include robust security integration and automation across the entire development pipeline.

  • Component-based protection

Apps don’t exist alone. Along with processes that help pinpoint issues in development and design, enterprises need solutions that include offensive security frameworks, comprehensive data protection and proactive cloud application monitoring to deliver complete visibility.

Bottom line? Robust web application security is critical for enterprises to reduce risk and proactively improve their application landscape.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read