The Defender’s Dilemma: 5 Tips for Keeping Your Web Applications Secure

In cybersecurity, as in life, the bad guys always have the upper hand. This is known as the defender’s dilemma and is especially important for web security, where the attacker can be anywhere and strike at any time. Here are 5 tips to help you keep cybercriminals at bay.

The Defender’s Dilemma: 5 Tips for Keeping Your Web Applications Secure

Know Your Attack Surface

The fundamental challenge in cybersecurity is that attackers only need one gap to get through. Securing sprawling IT environments and countless websites and applications across a large organization is a constant uphill struggle, yet it only takes one oversight to leave your door ajar for cybercriminals. Recent high-profile breaches such as the SolarWinds hack have shown that the biggest attacks often start with the smallest weaknesses.

This is especially true of web application environments. Large organizations commonly focus on tightly securing only a handful of mission-critical web assets from the hundreds or thousands of websites and applications they have. Surprisingly often, they don’t even know all the assets they have online, let alone try to secure them – even though every single one contributes to their overall attack surface.

It’s all very well saying “keep everything secure”, but what if you don’t know what “everything” is? The first step in closing all the gaps is knowing what you actually have out there. Once you’ve discovered all your web assets, the second step is to probe for weaknesses just like an attacker would. When you know your true attack surface, you can start closing the gaps.

The Defender’s Dilemmas

  1. The defender must defend everywhere. The attacker can choose a weak point to attack.
  2. The defender can only defend against known attacks. The attacker can find and exploit new, previously unknown weaknesses.
  3. The defender must be constantly on their guard. The attacker can choose to strike at any time.
  4. The defender must obey rules, laws, and policies. The attacker has no such constraints.

Always Stay Alert

Cyberattacks are not like the movies. More often than not, there are no alarm bells going off and definitely no impressive control rooms with big screens flashing “Intruder Alert”. A probe or attack can come at any time and most won’t be detected immediately (or at all). The most dangerous attackers can be extremely patient, stealthily spreading their activities over a long period to avoid detection.

This is another attacker advantage: they can pick their time and place at will. When your web presence spans hundreds of systems all across the cloud, there is simply no way to build a watertight perimeter defense. The only practical approach is to regularly check your security from the outside in, just like an attacker would, and quickly seal any gaps to make sure the bad guys can’t find a way in.

Everything in cybersecurity is linked and related, so there’s no such thing as an unimportant system. If you only secure your critical assets, you run the risk of attackers sneaking in by the back door somewhere and eventually pivoting to your important data and applications. They might plant malicious code and come back to it in a few months for the actual attack. The bad guys are calling the shots – and they have time.

Expect the Unexpected

In this constant battle, the attacker chooses not only the place and time but also the weapons. The exploit arsenal keeps growing, so you need to both protect against known vulnerabilities and anticipate novel attacks. Again, in the long run, there’s no such thing as a small or insignificant weakness or security misconfiguration, since real-life attackers can chain seemingly innocuous issues to gain a foothold in the system.

The defender has to keep up with this arms race or risk being overwhelmed. The ability to simulate real-life threats is crucial to maintaining a tight defense, so it is important to perform outside-in testing using all of the attackers’ tricks, up to and including the very latest techniques. This is where the right people and the right tools are vital.

Penetration testing or, even better, red teaming can reveal vulnerabilities that are exploitable by real-life attackers. But while these manual methods will give you the best picture of your current security posture, you can’t apply them every time your application changes. Just as importantly, not every penetration test can cover all your assets and check each one for all known vulnerabilities. This is why a high-quality and up-to-date vulnerability scanner is an essential tool to maximize coverage.

Build a Defense-in-Depth

Even a simple website is only the tip of a technological (and security) iceberg. Consequently, web application security can be affected by security issues across the entire application stack – and vice versa. Leaving web applications unprotected can expose other systems to attack, especially databases and other data sources that are the cybercriminals’ prime targets.

Building a defense-in-depth is a security best practice that helps to minimize risk and mitigate the consequences of attackers breaching one layer of security. However, this should not mean simply piling external protection onto a vulnerable application environment. For example, web application firewalls (WAFs) are excellent for temporarily blocking identified vulnerabilities but not a replacement for actually fixing the issues.

Secure development and regular testing are the first and most important layer of application security. By following secure coding practices and efficiently incorporating security into the development process, you can minimize risk even before the application goes live. This also helps your teams to focus on development that brings business value rather than fighting fires and constantly working through a backlog of technical debt.

Choose Your Battles Wisely

All this is easier said than done, especially in the current economic climate and with the cybersecurity skills gap still looming large. You can’t fix every single issue immediately, but you can focus your limited resources for maximum efficiency and security benefits. This starts with the low-hanging fruit such as setting the right HTTP security headers or hardening the container images used in your CI/CD pipeline.

In security, a little effort put into prevention can save a lot of work and pain down the line. This is especially true of web application security, where the sheer number of real and suspected vulnerabilities across a large application environment can overwhelm the small web security team. To minimize risk and keep up with frequent application changes, application security must be automated wherever possible without compromising accuracy.

This is where a modern dynamic application security testing (DAST) tool such as Invicti can make all the difference. With its Proof-Based Scanning technology, Invicti can safely exploit and automatically confirm and triage the majority of high-impact web vulnerabilities. Detailed vulnerability reports can then go directly into the developers’ issue trackers with no need for manual verification by security engineers. Combined with a vast array of security checks and constant research to add more, this is a real game-changer.

For once, you can get ahead of the attackers – and stay ahead.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.