14 Jun Barracuda Networks: Learning these Security ‘A-B-Cs’ Will Ensure Top-Class Web Application Protection
IT security experts Barracuda Networks have exclusively shard their top security tips to help ensure the best web-application protection. Toni El Inati, RVP Sales, META & CEE, Barracuda Networks, shares security ABCs.
For years, businesses in the UAE have been utilising software applications as an important business tool. But, like everywhere else, times are changing. Today, it’s becoming increasingly common to use cloud platforms, accessed over the internet, with datacentres holding local servers falling out of favour. Cloud platforms and applications accessed over the internet are a big plus when it comes to functionality and ease of access, but they come with a major headache for organisations: the thorny issue of cybersecurity.
This issue isn’t one that businesses can afford to ignore, with the recent ‘The state of application security in 2021’ report by Barracuda finding that 72% of organisations suffered at least one breach from an application vulnerability. All applications that can be accessed over the internet are vulnerable to attack by cybercriminals, who know that breaching these applications can enable them to reach deeper into a company’s infrastructure and cause serious damage.
The pandemic has exacerbated the problem, with companies quickly rushing to allow wider remote access to employees – often without paying enough attention to cybersecurity. The consequences can be far-ranging and serious, with applications wide open to attack through techniques such as SQL injection, cross-site scripting, and command injection.
Going back to basics and focusing on the web app security ABCs is a good way to make sure your company doesn’t fall behind in the cybersecurity battle, with serious consequences such as monetary, reputational and legal damage.
A: API security
Application programming interfaces (APIs) sit at the heart of digital transformation are are used to power digital platforms and enable computers and apps to connect and communicate. Businesses utilise APIs when developing applications as it’s an efficient and quick way of building and releasing new applications. Leveraging APIs simply makes sense, and adoption rates are significant in organisations around the world, with the UAE being no exception.
Because APIs have access to vital data, and they’re built for automation, they’re very much in the firing line when it comes to cyberattacks. Breaching vulnerable APIs can be extremely lucrative and productive – and cybercriminals and hackers are only too keen to exploit this.
Therefore, API security needs to be one of your highest priorities when it comes to keeping your applications cybersecure. The same Barracuda report found that 37% of respondents listed securing APIs as their number-one application security challenge. Is your security team confident that all your APIs are adequately secured and protected?
B: Bot protection
Next up is ensuring your bots are protected. Bots used to be mainly used by search engines, but they’re now used for all kinds of different things – both for innocent, useful activities and for malicious ones. Things like social network bots, monitoring bots, search engine crawlers and aggregator crawlers are all useful tools with no malicious intent.
But on the other hand, some bots are created purely for sinister purposes. They could be basic scrapers that attempt to steal data from an application, or they could be sophisticated bots that are persistent in their attacks and much trickier to block – and anything in between.
Identifying and blocking these bots are vital if you’re to prevent major problems such as account takeover and distributed denial of service attacks. These complex and intelligent bots are highly adept at evading defences, and ordinary blocking methods like Google reCAPTCHA simply don’t work.
The Barracuda report mentioned earlier found that 44% of respondents say bot attacks contributed to a successful security breach that exploited a vulnerability in their organisation’s applications. So it’s very clear that security teams need to ensure there are robust measures in place to protect against malicious bots.
C: Client-side protection
As companies continue to transition to the cloud, there are many new web-specific vulnerabilities that businesses need to be aware of. Lots of these sit on the client side of IT infrastructure, and include things likes cross-site scripting and clickjacking. Because applications are increasingly being accessed over the internet, these vulnerabilities are causing more issues – often on the client side in web browsers.
In web development, a lot of the client-side logic uses either open source or third-party code, where security isn’t a high priority. This is clearly a concern, and scripts can be hacked at any time. To protect against serious breaches, it’s important to review all client-side code and make sure there are no vulnerabilities.
Stay ahead with your ABCs
The transition to cloud platforms and an increasing move towards applications accessed over the internet is largely a positive one for companies in the UAE. To reap the benefits of this, while mitigating the risks, organisations should follow the ABC of application security. Like everything when it comes to cybersecurity, it’s important to regularly review your ABCs as the capability and sophistication of attacks evolves over time.