Hackers just cant get enough of hacking websites. Malicious performers break into them to upload infected copies of operating systems or distribute malware. Fraudsters use website vulnerabilities to stealsensitive credentials and financial info. The feds take them over to track down child porn consumers. Hacktivists take them down to fight controversial bathroom bills. And a lot more.
Websites continue to account for the majority of cyberattacks and tens of thousands are targeted every day. There are virtually endless reasonsand waysthat websites can be attacked. But while the motives and tools to attack websites are many, there are distinct reasons hackers select websites as one of their prime targets and succeed at compromising them. Knowing them can help improve the security of websites and their customers.
Websites are the weakest connection in the chain
There are many ways corporate networks can be infiltrated. Vulnerabilities in networking equipment firmware, flaws in encryption algorithms, misconfigured and unpatched software installations, and the use of advanced network monitoring tools are all viable answers. But many of these breaches demand a high level of expertise and knowledge, or require special resources that can only be obtained with nation backing.
Moreover, with the introduction of advanced security tools such as smart firewalls, intrusion detecting systems( IDS ), signature- and behavior-based antiviruses, virtual private networks and many more, it is becoming harder and harder for intruders to find fissures in the defenses of company network and gain access to the more private parts.
Websites continue to account for the majority ofcyberattacks, andtens of thousandsare targeted every day .
The only things that remain ubiquitous and largely accessible are websites and web applications.
A major part in running an online business is having one or more outward websites. Whether its an e-commerce site where customers can stimulate purchases, a social media platform where people can connect, or a web portal for employees to log into, there needs to be an interface where people can interact with your organization through public networks. And that includes hackers.
Industries that have adopted and increased web applications usage for their business in the past year are insuring the impact on the two attacks patterns, says Amit Ashbel, director of product marketing at Checkmarx, a cybersecurity startup that offers application security answers. Financial and transportation horizontals are the top targets when it comes to web Application attack vectors. Both these industries have ramped up their web and mobile application services in the past years creating a very fertile assault surface.
In contrast to many exploits that require physical access to special networks or state-sponsored access to ISPs, assaults against websites only require a working Internet connection. And all it takes from there is a vulnerability that can be exploited.
The sheer fact that web applications are available for everyone to use drives attackers to design their attacks based on the weak point of the web application, Ashbel explains.
Websites are riddled with coding flaws
According to a study by Carnegie Mellon University titled Team Software Process for Secure Systems Development , 90 percentage of security incidents result from software bugs, i.e. blunders committed by developers when writing the source code for the application. The examine further finds that even qualified and experienced software engineers dish up a bug in every nine lines of code.
When it comes to web applications, theres no famine of coding flaws, and the reasons are simple.
When it comes to web applications, theres no shortage of coding flaws .
First of all, in contrast to complicated software, such as operating system or special software for networking equipment, web development is an easy accomplishment, one you can easily pick up on your own, in your own garage, which makes it an attractive field for people who want to learn some quick skills and earn some quick cash.
Moreover, theres a lot of ad-hoc code being written to meet the needs of specific firms and organizations. Many of these institutions turn to internal resources or freelancers for web growth. But these programmers arent necessarily versed in the basics and tenets of secure coding. They are mainly focused on delivering a product that fits the functional requirements of the customer and consequently leave many security holes in their aftermath as they code their style to the finish line.
Developers are measured by the time it takes them to deliver functionality and the number of functionality bugs their code contains, Checkmarxs Ashbel says. The more experience they gain, the better their code becomes. This is a natural process of find and learning from their mistakes.
With security glitches, in many cases they dont have the option to learn from their missteps because they are rarely involved in the detection process, he says.
Website security practises arent implemented properly
Even some of the bigger companies are getting hit because they are lacking in proper tools and practises in rooting out vulnerabilities from their websites. For instance, in the case of the VTech hack, in which the doll giant gave away sensitive information for millions of users, including hundreds of thousands of kids, the vulnerabilities involved were very rudimentary, including the use of obsolete encryption hashes and components containing SQL injection flaws.
Traditional security testing methods consist of relying on security audit professionals late into or at the end of the developing lifecycle to review websites for vulnerabilities. This is a process that is expensive, lengthy and incomplete.
Many companies cull this stage since they are either dont have the in-house expertise or the resources to outsource the security talent, or they dont have time and are too focused on functionality to care about the security of their website. This results in corporate websites going into production with severe security holes. Hackers have many tools that help them rapidly sniff out vulnerabilities and exploit them. On the other hand, it takes firms and organizations a long time to realize theyve been breached.
A website breach usually offer attackers with a beachhead to further delve into corporate networks and gain access to more critical assets and resources such as database servers, encryption keys and classified documents. A look at these recent data breaches shows how destructive coding flaws can be.
How do you harden your websites security?
There are general guidelines for developing procure websites, but first of all, there needs to be a change of mindset. Companies must consider security as a prime concern , not an afterthought. This can only be achieved if dealing with security issues are dealt with in tandem with the development of the website.
Firms should start by educating their development team in the basics of secure coding. Security-savvy programmers write most secure code. Having general knowledge about vulnerabilities such as SQLi and cross-site scripting( XSS) can help developers make more secure web applications from the get go.
Also, the use of Static Application Security Testing( SAST) tools can help integrate security testing into the development process. SASTs can help rapidly scan the source code of applications for known vulnerabilities and bad coding practices and warn the developers as they build the application. This is a cost-effective solution to help root out bugs in applications because it moves security testing early up in the development lifecycle, where correcting missteps has less impact on the overall structure of the application and will end up being cheaper and less time consuming.
Rather than waiting for the end of the developing cycle, organisations should address vulnerabilities in the same way they address functionality glitches, tells Ashbel. It should be part of the software growth lifecycle from the starting point. That way developers learn from their own mistakes and become better and more secure coders.
The future of web security
Websites are a huge component everyday life and business. An insecure website can be destructive to the integrity, reputation and bottom line of an organization.
The future of web and mobile application security relies on the ability to bridge the silos between its safety and the growth squads within the organization, Ashbel tells. While quality assurance is there to analyze that the code delivers the functionality it promises, developers and security squads need to ensure the code does not deliver functionality that can be abused by external sources such as hackers and criminals.
Photo via Christiaan Colen/ Flickr ( CC-BY-SA)