It’s easy to forget how dramatically the delivery of tech tools has changed over the decades. These days, few of us depend on a long list of desktop apps to do our work. Instead, we spend our working day logged into several web apps – simultaneously.
Likewise, we can miss just how complex and interconnected the web app ecosystem is. Think you’re just using a single web app provided by a single vendor? Think again; that web app depends on countless underlying apps and components that function in concert.
All of this works so well because of the web’s incredibly open approach. For example, the public web address you use to access a web app can receive incoming requests from anyone, anywhere in the world.
The web’s openness has a price
There’s a catch however: the web’s mix of complexity and openness, combined with the public nature of the web, can leave the door open for malicious actors.
Once you add software bugs, lax security and the attraction of valuable data such as credit card details into the mix, it’s easy to see why hackers are hammering away at web applications.
Let’s look at just one example of a typical attack vector: formjacking. Formjacking involves the interception of sensitive information typed into a website form and it’s an incredibly common way web apps are exploited. Through 2018, just one security vendor detected 3.7m formjacking attempts.
It is an astonishing number that should, in theory at least, make any CISO sit up straight.
But why do we need to worry, it’s not our app?
OK, so clearly web apps are at the sharp end of the cybersecurity threat. Whether it’s a website set up to serve customers, or a website that enables a critical business process.
Often, though, these web apps are owned by third party vendors. You pay the vendor for the use of the app, and that’s the end of the story, right?
Just because it’s a third-party vendor that supplies the app does not mean that your company won’t be in the firing line if an app is hacked.
Just consider the following:
- Downtime and lost business. If your website or the web app you use for everyday operations is down, you may not be able to do business with your customers. You’ll lose the sales revenue, and it’s an open question whether your company will recover that revenue.
- Theft of data. Hackers can steal important data from web apps – including credentials to other services (think access to banking products). You might also be storing confidential information unique to your business in a web app, data that you wouldn’t want out in the open.
- Data loss. A compromised app can also mean that you lose key business data that you need for everyday operations. This loss can be devastating, to the extent that a business is forced to close down because it cannot recover – all because of a third-party web app.
- Reputational risk. What is the impact if an app your business relies on to deal with customers is clearly and visibly compromised? How much business will your company lose if news of data loss becomes public? Assigning a number to the lost business, lost growth and lost trust is difficult, but the impact can be game-changing.
- Compliance and fines. Over and above the reputational risk, government authorities such as the EU are known to impose stiff fines even if your company was not at fault or willfully negligent. Pleading that a third-party app was involved won’t help.
So, there’s plenty to keep in mind when you’re considering how your company is vulnerable to an exploited web app that’s provided by a third party.
Hang on, we only use that web app to…
To be fair, web app security risks vary. Sometimes a web app going wrong poses minimal risk to your company, even if you use that app every day.
It’s also true that companies have limited budgets and, understandably, security leaders will want to spend available time and funds and respond in a way that’s proportional to the underlying risk.
Your company is at high risk and should keep a close eye on web application security if it’s heavily dependent on multiple cloud vendors for day to day operations. High risk also kicks in where your product or field of business is controversial, or where your company handles personally identifiable data such as financial and healthcare records.
There’s less risk associated with static websites that have no interactivity, or where your company hardly makes use of online services for its day to day functionality. However, that would be a minority of modern businesses.
The known and the unknown
There’s a final factor that CISOs should think about concerning web app security. Many of the threats faced by websites have been discovered, patched and can easily be guarded against. These are known vulnerabilities. Yes, known vulnerabilities require vigilance but they are essentially easier to protect web apps against.
However, one of the key reasons why web app security is so worrying is because of unknown vulnerabilities. In other words, weaknesses that have not yet been exploited by malicious actors, but which do exist – and can be exploited once found.
Guarding against unknown vulnerabilities requires a comprehensive approach from security experts that know their stuff. It’s an open question as to whether the vendors supplying the apps you rely on take their security obligations seriously.
Yes, your company can safely deploy web apps
There’s no way your company can simply set aside the web apps it uses every day because of the security risks. Modern-day tech relies on web apps, end of story.
The good news is that web app security can be boosted with some simple steps. You can read our full article here, but here are some important actions you can take to mitigate web app security concerns:
- Catalog the apps you use, assess where you are exposed
- Check the security measures of your vendors
- Enforce good practice such as password security and locking down credentials
- Test, monitor and protect apps using the available tools
- Involve an external cybersecurity expert to risk assess and strategize
In contrast, simply sitting back and relying on web-driven applications as if these apps are infallible can open your company to a wide range of risks.
Today’s agile, fluid tech brings enormous benefits – but risks too. Thankfully your company can continue to enjoy cutting-edge tech without outsize risk exposure – as long as it recognizes the risks, and takes mitigating steps.
Looking for a web application vulnerability scanner? Contact us to schedule a free demo of our products in action.