Website is a showcase of every company, and web applications and web portal offer the critical functions and competitive edges.
How did it all start
10–15 years ago, most corporate websites acted as “business cards.” They were written in HTML and displayed static information for users. They were non-interactive, so nothing threatened their security. However, as new programming languages came to existence, the resources started to contain less static and more dynamic content.
Users started to submit their data on web resources, which has created vulnerabilities that could be exploited. Some vulnerabilities enable the upload of sensitive content, while others expose the data of website users. These new threats have led to the rise of web security tools.
What companies need web resource protection the most?
Banks were the first to fall into the risk zone: they created remote banking systems, where users could log in, make payments and wire transfers. These capabilities were a tasty morsel for intruders—they started to search for vulnerabilities in these resources, trying to execute non-authorized payments on behalf of other people. That is why banks were the first to protect their web resources—now, most of them have multilayered protection. Then telecom operators and other organizations that needed to protect client accounts took the same path.
The protection of electronic trading platforms and exchanges is an emerging trend, as they are also vulnerable to fraud. The market demands e-learning protection systems, which are being widely implemented in Russian universities. Students use them to access content and pass tests, so data falsification may impact their academic performance. Furthermore, governmental organizations, especially utilities and energy companies, need to ensure the security of single-window user accounts, which are becoming more and more popular in many cities and regions. Bills and fines can be paid in their system, and the money transfer functionality creates a threat of hacking.
Types of web application vulnerabilities
Some vulnerabilities can lead to the so-called website defacement—intruders host information that defames the owner on it.
Another type of vulnerability allows hackers to upload malicious content on the resource. Users who visit this resource are infected with viruses. Injection attacks are aimed at stealing information from a web resource. User data, accounts, email addresses, and phones can be used for targeted attacks or for sending spam, viruses, etc.
Hackers can use enterprise portals available through the Internet as a point of entry into the corporate network. They create a foothold for the attack on the web portal and then proceed to attack the internal infrastructure.
Human factor
The end-user cybersecurity awareness fails to keep pace both with the attack sophistication and the maturity of security tools used by large businesses. Many companies are interested in raising user awareness and publish articles explaining how to secure themselves when working with web resources and what to do if something happens. It is also crucial to adopt the company's incident investigation procedures and observe it.
The main user protection method is to check SSL security certificates, which allows you to encrypt the traffic from the user to a specific resource to eliminate the possibility of its falsification. It is complemented by multi-factor authentication using a password and a confirmation via SMS.
Users need to be wary of phishing and ensure that the sites they visit are authentic. The names of fake websites often differ from genuine ones by just one letter or number. A user sees a familiar screen, enters their login and password, and intruders get their credentials.
How to ensure website security?
Many integrators offer a WAF (Web Application Firewall) as the main web security tool. WAF is a product that analyzes the data transferred to the resource, detects attacks and unauthorized actions.
In the default mode, WAF can indeed prevent major attacks. It accelerates the incident response by informing about any attempts of port scanning or attacks on known vulnerabilities and preventing them.
As the content and functionality of websites changes over time, it is necessary to monitor the correct operation of WAF and regularly audit the web resource security.
Vulnerability analysis and penetration testing
The two main types of website security audits are penetration tests (pentests) and vulnerability analysis. Few companies provide these two services without an emphasis on one of them. Softline has experience in performing comprehensive projects, in which our research lab performs both penetration tests and vulnerability scanning. The test results allow us to fine-tune the web resource protection of the Web Application Firewall.
Zero-day vulnerabilities: what to do?
Researchers and hackers are always searching for new attack vectors and zero-day vulnerabilities. They are detected in particular contests, and the hacker attacking you may know them. In such a situation, web security tools can buy you time. You'll see that someone is targeting you, be able to assess the frequency and vector of the attack, and the security and IT departments will be able to take action in advance.
Not all types of audits are equally useful
Some companies offer automated scanning instead of vulnerability analysis, but this can only be seen as a complement to a cybersecurity audit. Others use the following approach to pentesting: they find one vulnerability and expand their attack vector from it, then give the client a scary list of possible unauthorized actions based on just one loophole. Of course, this test is not exhaustive.
Advantages of cybersecurity audit by Softline
Softline has a good team of penetration test experts and analysts who know how to secure the infrastructure, web portals, and applications. Our experts regularly participate in national and international cybersecurity competitions.
When Softline experts find one vulnerability, they inform the client about it and explain its possible impact. But then, instead of extending the attack vector from this source point, they continue searching for new vulnerabilities. Customers who choose this approach get a better return from audits and pentesting.
Naturally, the best way to ensure the highest security is to implement a comprehensive project, when we simultaneously implement a WAF, conduct audits and pentests. Softline also provides multi-factor authentication solutions, classic network firewalls and load balancing systems, business continuity and DDoS prevention systems. We cooperate with a large number of domestic and foreign vendors, and our high qualification is confirmed by partner statuses and customer feedback.