In a world that is completely interconnected via the internet the operations of web servers, websites, and web applications are ubiquitous in almost every corporate sector on the planet. As web applications become more numerous and dynamic websites increase in number, security concerns associated with web applications also escalate. With online businesses utilizing web applications as one of the primary methods of interaction with consumers, the growing trend of businesses using web applications is likely to continue. Statistics constantly show a rapid increase in the online purchases of goods in the US - Mintel notes in its 2015 survey that nearly 70 percent of Americans use online websites to shop on a regular basis. Yet website breaches and hacks have become very commonplace, and often cost companies millions of dollars in damage.
Ponemon Institute asserts that 45 percent of breaches exceed $500,000 in losses. Furthermore, the International Data Corporation predicted that companies would begin to use web applications for more than just direct communications regarding transactions, but would also increasingly use web apps for marketing, customer service, and the sharing of other significant information. The use of web applications for integral business operations makes them a prime target for hackers and cyber-attackers. Suitable risk management and security assessment programs must be adopted to protect businesses from the offensive fronts that could jeopardize one of the main online functions of their corporate infrastructure. The attack surfaces associated with web applications must be understood and all possible attack vectors must be analyzed and mitigated. Mobile applications and web applications share many characteristics both in their engineering architecture and in their security needs. These similarities include programming languages used for development and security flaws present in both, such as weak encryption ciphers, code injection security holes, and more. However, from a security perspective, the two types of apps differ in significant ways.
Web applications are often linked directly to important back-end database servers, which can often be accessed in an unauthorized manner using SQL injection (SQLi) attacks. HTML files located on a web server within a DMZ, however, are often protected with a Web Application Firewall (WAF), along with a Network Intrusion Detection System (IDS), and Network Firewalls. Even with such protection a website often provides a direct access interface for hackers to inject code in order to manipulate fields, bypass authentication, and inject reverse shells, rootkits, and backdoors.
Due to being website-oriented web applications operate via a web browser, require an internet connection, and are cross-platform. Consequently, web applications often offer a means for an attacker to potentially compromise all web platforms at once, versus the necessity to compromise a native mobile app on different platforms individually which requires understanding the OS for which the app is built and the different programming language used for each platform. Mobile applications are often network-oriented, but do not necessarily require network connectivity. In addition to this, native mobile apps are generally written in an OS-specific language, such as Java for Android and Objective-C/Swift for iOS.
Storage of data on the client-side, the types of back-end APIs, access to core device functionality, etc. make mobile apps different than web apps, and present different security challenges to engineers. Though web applications are often optimized for mobile formats, when a web application is compromised it often can lead to the compromising of more back-end servers and systems, while compromising a mobile app can mean access to multiple critical infrastructures including back-end network systems, mobile device functions, proprietary code, and more. The risks and threats associated with mobile apps and web apps are thus different, and must be assessed differently based on an intimate understanding of the attack vectors and potential vulnerabilities tied to both.
Web applications are built around three core languages - HTML, CSS, and JavaScript. However, a myriad of languages and frameworks are often associated with complex, dynamic web apps on the back-end and front-end, including Python, Java, C++, PHP, Ruby, C#, node.js, and more.
Each unique framework and programming language used for web application development may potentially result in additional security vulnerabilities being present. As estimated by the International Data Corporation in 2011, a minimum of 80 percent of web applications have one or more high-risk vulnerabilities written into the code that result in inherent security holes that can be exploited. In addition to this, according to the Website Security Statistics Report, from 2012 to 2014 there was a shift in application vulnerability likelihood, with 2012 revealing a 58 percent and 55 percent likelihood for apps to have information leakage or XSS respectively, and 2014 showing a 70 percent likelihood for apps to have Insufficient Transport Layer protection. Web application security testing requires a variety of methods in order to fully identify all potential flaws. These methods include:
• Dynamic application security testing • Manual penetration testing • Static source code security analysis
The combination of black box and white box methods allow for a full-surface approach to realizing your application's security posture, which is done by identifying vulnerabilities from both internal and external perspectives. Additionally, different programming languages have different potential security flaws that may be present in your web applications, and thus they must be tested differently. If your application uses Perl or JavaScript, improperly validated user input poses an issue.
Other applications may require testing of AJAX vulnerabilities. Misconfigured .Net and Java applications frequently pose high risks to web applications. A dynamic page using client-side JavaScript forms must be tested in a different way than a page that allows dynamic input with server-side PHP. JavaScript injection, SQLi attacks, and XSS are possible attack vectors utilized for web applications built with particular languages.
Regardless of the architecture of your web application, our expert team has the knowledge and expertise to provide you with a full security analysis of your web applications. Issues such as SQL injection, Cross-Site Scripting (XSS), server misconfigurations, SSI injection, Local and Remote File Inclusion, JavaScript Injection, and other well-known attack vectors all represent possible methods for an attacker to use to compromise your web applications. Through a combination of dynamic penetration testing and static source code review - executed both manually and via automated tools - we can identify and help you mitigate security vulnerabilities in your applications so that you can continue to operate efficiently.