An article by Test Aankoop caught my eye recently, stating that they scanned a selection of 100 webshops and 55 of them yielded vulnerabilities. 23 of them even contained very serious vulnerabilities, where a hacker has the chance to extract sensitive data or perform phishing attacks using their own website.
In theory, all web applications have vulnerabilities. Whether this is an issue in your website's code, or an external library of which you're not using the latest version yet, there is always something to optimize. If you maintain your web application well, the seriousness of the vulnerabilities can be kept to a minimum, but it is impossible to avoid them alltogether.
Lead by example
Recently my colleague Maxime evaluated the web applications of TCM. They are clearly concerned with the safety of their data and made an appeal to EASI to make sure that their customers' information is well-protected. Luckily, no serious leaks were found, but we were able to make recommendations to take the security of their web environment to a higher level. TCM and EASI implemented the proposed recommendations together.
Keeping web applications secure
Security should be kept in mind in all layers of your application, like the database, APIs, the front-end, the network and most of all, the human layer. There is a lot to consider, but here are some general pointers that may be useful. So what can you do? I'll give you four tips.
First of all, I would recommend hiring some good security-aware developers, by also screening them based on security knowledge. After all, if they decide that it is OK to save someone's password in plain text in a cookie or to print sensitive information in the browser console thinking that no one will look there except for them, then all other security measures don't make much sense. Security must be central in application development, and not just a check that is performed afterwards.
Secondly, place a Web Application Firewall (WAF) in front of your web servers. A WAF scans the requests to your website and will block the connection if someone tries to send something that is considered abnormal traffic for your site. The WAF also holds a database of vulnerabilities that is updated much faster than you can update your website if a vulnerability is found, kind of like an antivirus signature database. So the WAF will block many exploit attempts on vulnerabilities on your server. However, don't consider the WAF as your primary and only security; vulnerabilities should still be mitigated on the web server itself!
Thirdly, frequent updating is important. Make sure that you use the latest versions of external code libraries as much as possible and execute regular vulnerability scanning to make sure that no new issues have emerged in your systems, either by updating code or adding new features, or simply by new types of attacks that have been developed by hackers.
Last but not least, work with a professional security partner that can work with you through all the layers to implement and maintain the best possible security configuration for your environment. EASI can help you with all the above and more!