Development / Security / Contributed

Web Apps and the White House Executive Order on Cybersecurity

31 Aug 2021 7:00am, by

Mark Ralls
Mark Ralls is President and Chief Operating Officer of Invicti. In this role, Mark helps set, communicate and drive company strategy and execution by bringing deep expertise in analytics, marketing, operations, and M&A. He is a proven builder and leader of high performing teams and has a passion for helping companies grow and scale. Mark previously held leadership roles at Vista Consulting Group (part of Vista Equity Partners), Social Solutions Global, SolarWinds, and Boston Consulting Group. Mark holds a B.S. in Mechanical Engineering from The University of Texas at Austin and an MBA from Harvard Business School.

Criminal hacking networks and state-sponsored hacking groups have been on the rise for years, up-leveling the pressure for organizations and government agencies to defend against threats. May’s Colonial Pipeline ransomware attack brought to light — maybe more than ever before — just how much disruption an attack of this kind could wreak on the country.

No doubt in response to this and other high-profile attacks, the Biden Administration issued an executive order to rally government agencies and private companies around national cybersecurity. The National Institute of Standards and Technology (NIST) quickly followed with a memo defining the critical software that must be defended from attack.

NIST defines this critical software as any that is able to run with elevated privileges or that controls access to data or operation technology. It also identifies the minimum requirements for protecting software to avoid catastrophic disruptions in an organization’s services or operations, but we should not mistake hardening critical software as a complete solution for cybersecurity.

Why Web Apps Should Be Considered Critical Software

Web apps represent a massive attack surface and are one of the dominant attack vectors for hackers. According to Verizon’s 2021 Data Breach Investigations Report, in 2020 a staggering 90% of data breaches originated in a web app, and it’s easy to see why: the Cloud Security Alliance estimates the average enterprise has 464 custom applications deployed, and large enterprises may have upwards of 800.

Another study by Immersive Labs and Osterman Research released in July 2021 estimates that 81% of developers knowingly push insecure code to production. Between the sheer volume of web apps being produced and the rush to stand them up, it’s no surprise they’re a prime target for hackers.

Compounding these challenges is how to identify just which web apps hackers might target. We saw this with the hack of J.P. Morgan through its Corporate Challenge road race registration website, which affected 76 million customers. The attack came through a website that certainly wouldn’t have been considered critical software.

Looking at the landscape more broadly, web apps are exploding in growth — from roughly 350 million in 2011 to nearly 2 billion in 2020. During the same time, data breaches grew from roughly 1 billion in 2011 to roughly 5.5 billion in 2020. At best, advances in security technology have kept pace with advances in hacker attacks over the past decade. So why aren’t web apps getting the security hardening they need?

What’s Holding Companies Back from Securing Their Web Apps

Organizations often assume they lack the resources to secure everything, so they take a triage strategy, focusing on their “crown jewel” applications. In reality, this means ignoring apps that may seem less mission-critical yet present just as much security risk. Add to this the apps that are lost, forgotten or ignored because they are not an active part of operations, and the at-risk attack surface starts to look pretty significant.

Another reason web apps are left unsecured is an overemphasis on “shift left” strategies at the expense of the massive attack surface in production. Of course, shifting left is a critical part of securing web applications, but it falls far short of a complete security strategy. Organizations must cover both the left and the right to adequately protect themselves.

Modern dynamic application security testing (DAST) and interactive application security testing (IAST) are two examples of solutions that can bring critical time-savings (often the difference between hours and days) and accuracy to security teams.

Covering the left and the right without tradeoffs requires that organizations adopt tools that enable them to map their entire attack surface (including those seemingly innocuous little web pages that provide an unmonitored back door into more critical systems), scan everything on the left and the right, and then facilitate remediation through orchestration and workflow integrations. That’s the only way to keep pace with the rate at which new applications are being produced and updated. It sounds like a tall order, but modern dynamic and interactive application security testing tools make it possible.

Why Enterprise Integration and Orchestration are the Path Forward

Organizations can only address a sprawling attack surface if their tools help them scale beyond the constraints of their security staff. Where application sprawl is rampant and in DevOps environments where software might be updated multiple times a day, only tools that excel in accuracy, speed, and automation are up to the task. Enterprise orchestration and workflow integration are critical.

Modern dynamic application security testing (DAST) and interactive application security testing (IAST) are two examples of solutions that can bring critical time savings (often the difference between hours and days) and accuracy to security teams. Tackling these challenges head-on, along with implementing proper workflow orchestration, can play a crucial role in building trust and collaboration between developers and security teams.

Enterprise orchestration of the remediation process, integrating vulnerability alerts in ticketing systems, ensures vulnerabilities are tracked, remediated, and confirmed fixed. With this kind of integration into developer workflows — especially when combined with IAST’s ability to help pinpoint vulnerabilities — organizations can not only work down security technical debt, but stay ahead of the curve.

All software is critical software when it comes to web apps. The notion that it’s beneficial to focus on a few high-risk applications is obsolete, now that increasingly powerful and interconnected web applications put sensitive information and operational systems at risk. Companies can’t compromise on security. Only by treating all web applications as critical can organizations create the kind of security required in today’s threat landscape.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Immersive Labs.

Feature photo by René DeAnda on Unsplash

A newsletter digest of the week’s most important stories & analyses.