The internet is central to today’s businesses. Websites and applications are where companies and customers interact, often sharing sensitive data. Unfortunately, that makes them prime targets for cybercrime.
Websites and applications ask for and store all types of personal information, such as addresses, phone numbers, credit card numbers, and even medical data. Many also allow users to upload files – think of insurance sites that request pictures of damaged property in order to process claims. Attackers can take advantage of this functionality to upload malware that enables them to steal data or knock sites offline.
Organizations must follow web application security best practices to protect their own assets, protect customers’ data, and ensure optimal performance. Attacks on web apps are the top cause of data breaches, accounting for 21 percent in 2017, according to the Verizon Data Breach Investigations Report.
To avoid contributing to that statistic, follow these five web application security best practices:
Update and patch your web servers
Many attacks on websites and applications exploit vulnerabilities in their underlying web servers. Ensuring that web servers run the most up-to-date software is necessary to address these risks and reduce your attack surface. Keep in mind, however, that patching is only a first step.
Inspect all incoming traffic
Hackers can still exploit zero-day vulnerabilities for which patches do not exist, and they also have several other tricks up their sleeves. So it’s crucial to prevent malicious traffic from reaching web servers in the first place. A web application firewall (WAF) sits in front of the web server, inspecting traffic and blocking requests that could compromise the application. Choose a WAF that can identify and block malicious bot traffic, blacklist or whitelist IP addresses based on access policies, and scan file uploads for malware. A cloud-based WAF can also help organizations manage costs and scale more easily.
Inspect all outgoing traffic
Web application attacks that steal data are among the most costly for companies to fall victim to. Regulatory compliance violations related to data breaches can result in significant fines and damage to a company’s reputation. Use a WAF to inspect outgoing traffic and block the transmission of protected data as governed by HIPAA, PCI DSS, and other regulations.
Rely on AI
Malicious hackers are using artificial intelligence (AI) and machine learning to develop more sophisticated attacks. In response, more web app security tools are incorporating AI and machine learning to identify and respond to these threats, which would evade detection by humans and traditional technologies.
Organizations can use machine learning to spot malicious behavior patterns, such as attacks by bots that mimic normal human behavior, for example. These next-generation security tools can also automatically create and adjust rulesets to protect against those behaviors, eliminate false positives, and more.
Get intelligent about threats
The big question regarding inspecting incoming and outgoing traffic is, how do you know which traffic to block and which to allow? No single organization, no matter how large it is or how much visibility it has, can fully answer that question. Managed security service providers and threat intelligence services can provide detailed information on compromised IP addresses, zero-day vulnerabilities, malicious bot behaviors, and more.
What other web application security best practices does your organization follow? Share your thoughts with us on Twitter.