Securing web applications is a priority this year. With over 70% of all attacks happening on Layer 7, what is you blueprint for security. We talked to some of the experts in the field and bring you their top recommendations.
“You must be aware of credentials access and you must use multi-factor authentication because those are the keys to your kingdom. You need to know which web applications and other cloud services are being used on your network and you need to know which credentials are being accessed.”
Jeremy Vance, VP of Technology, USCloud
Web Application Firewall
“With over 45 percent of organizations reporting that they have suffered a data breach over the past year, it’s critical that organizations put in place solutions to improve data security. Investing in a Web Application Firewall (WAF) can significantly improve security and minimize risk from data theft and other threats.”
Ron Winward, Security Evangelist at Radware
Encrypt, use proxy and scan
“In the ever-evolving world of web applications and cyber security, securing your applications is more important now that ever. One might consider leveraging certificate or token based authentication to ensure your data isn’t exfiltrated. All traffic should be encrypted over HTTPS. Only expose public API endpoints to the world if possible, minimizing your attack surface. Using a proxy is also recommended. Regularly apply security patches to your web servers and consider leveraging a security scanner like OWASP.”
Marcus Bastian, owner of Clouductivity
“One of the most important web security precautions organizations can take is to simply keep all their software and components up to date. WordPress is a great example of this – there are over 11,000 known vulnerabilities in old versions of WordPress and associated plugins/themes.
I recently completed a study on how quickly site owners update their WordPress sites. The study found that roughly half of WordPress sites run on an outdated version of WordPress.”
Adam Thompson, SEO / SEM Manager, Comodo SSL Store
Secure All Layers
“With the rise in the number of personal data breaches reported this year, strong concerns on implementing security procedures within all the application layers in the web architecture have resurfaced. Especially when GDPR is making heads turn in all industries, I think 2018-19 should be more focused towards its conformance and other personal data security safeguards.”
Sanjay Kumar, Technical Lead, Kays Harbor Technologies Pvt. Ltd
“To ensure your web application is secure, yet still responsive and useful, ensure that the code / environment follows the OWASP Top 10 suggestions, then test, test, test…even in production, and Limit your application’s direct access to other systems and databases. Your application should communicate through a broker, not directly.”
Michael T. Lester, Chairman/CISO, LegacyArmour.com
“Follow Google’s lead. And implement a secure reverse proxy that only allows connections from a known trusted computer by an account that has been authenticated using multi-factor authentication.”
Mark Wilcox, Vice President of Business Development, ICSynergy International
Test & Report
“There are 4 steps to keep web applications safe.
#1: Recon. You must explore the app, spider it, and discover its default content.
#2: Analyze. Identify the app’s functionality/entry points.
#3: Test. Run enumeration tests, client-side checks, etc.
#4: Report. Record your observations and recommend a secure solution.”
Pierluigi Paganini, Security Researcher for the InfoSec Institute.
“For a company trying to protect its web access and create the right security level, it can be confusing. There are various programs and devices that can aid in preventing malicious adware and viruses from entering your network. The key is to choose the most cost-effective solution that can efficiently emulate a malicious hacker trying to hack a website; use a black box scanner, which is often called as web vulnerability scanner. Besides using an automated web application security scan, IT heads should look at adding a manual audit. By using both methodologies you can identify all types of vulnerabilities and technical vulnerabilities.”
Lindsey Havens, Senior Marketing Manager, PhishLabs
“There are two things to look at: authentication and authorization. The new GDPR should also be investigated as not everyone should have access to the data source of the app. So, my tip is to look into the architecture of the app, isolation of data and data encryption, and make sure you comply with current and future policies.”
Dieter Visser, Senior Developer, Pro-Sapien
“My top 5 recommendations, at the operations level, would be to:1. Use a configuration management tool to ensure that all servers and firewalls are identically and correctly configured2. Use blue/green deploys to minimize configuration drift and to support easy patch deployment3. Enforce the principle of least privilege to minimize the impact of a break-in4. Implement a multi-tier solution to isolate the persistence layer5. Log important events to a central, secure location where logs are regularly analyzed for abnormal events”
Abdul Gani, Senior Engineer Manager, EventMobi
Screen for Compromised Credentials
“2FA/MFA is critical to keep customers/users safe and so is compromised credential screening. The average user has 90 accounts. 55% of them will reuse passwords. With password reuse, hackers exploit credential leaks from a breach to gain access other online accounts = hacked accounts. The fix is to proactively screen for compromised credentials upon login.”
Kristen Ranta Haikal Wilson Founder & VP, Product & Marketing PasswordPing
“Firstly assuring basic software and network infrastructure is well configured and doesn’t have obvious or naive gaps on its configurations (Windows updates, IPS Systems, Firewall and so forth) .Also using techniques such as Black Box (Penetration and Vulnerability scanners, web application firewalls and good programmers (also using static source code analysis).”
“The only way to keep web applications secure is by writing secure code. To achieve that, you need to hire knowledgeable software developers. Period.”
Do you also have some tips for fellow readers? Share your thoughts in the comments.