2 June 2020

How to Secure Web Applications

By DICC Institute

In the course of digitization, web applications have become a business-critical part of IT and thus an attractive target for hackers. You can practically learn how to secure web applications by joining an ethical hacking course.

The importance of protecting applications is often underestimated. Companies want to implement their ideas quickly, and security principles are often violated or ignored. They bring minimally functional iterations of a product onto the market in order to test them with customers as quickly as possible. The product is on the Internet and is connected to other data pots. The gate has already been opened.

Also Read: How deepfake endangering cyber security

To counter this, there is a complete solution. The aim is to combine different components that ensure security in different disciplines. The demand for such complete solutions from a single source is increasing because individual components often come from various manufacturers and do not work well together.

A web application firewall has to do many tasks

A modern web application firewall (WAF) is an all-rounder. So it should be able to protect APIs in addition to its actual tasks. API stands for Application Programming Interfaces, i.e. interfaces to other programs. A conventional WAF is designed for HTML forms and cannot deal with JSON structures that are common with APIs. API security and web application security are increasingly merging, especially since security topics such as cross-site scripting or injection attacks are now relevant on all channels. Javascript applications that run in the browser and access APIs in the backend are becoming increasingly popular.

Also Read: Top 10 Cyber Security Trends and Digitization and cyber security – How to Make Digital World Secure

The WAF analyzes every request between users and web applications and services. Attempts to attack can be blocked before they reach the internal network. Interaction with an Identity and Access Management and an API gateway guarantees that only filtered, authenticated and authorized accesses occur.

Some WAFs also offer integration of threat intelligence, i.e. a check against lists of threats. Practically every address in the IPv4 range can be scored whether malicious activities are expected, such as spam, attacks against web servers, phishing, or Tor nodes. This information can be used in access management to develop appropriate policies. Example: If access is via Tor, two-factor authentication is mandatory.

Another technique is called virtual patching: a reverse proxy protects internal services from external access. Access lands on the proxy, where patches against security gaps can be imported promptly and automatically. This gives companies more time to secure the physical hardware. Distributed keys also provide extra security. Passwords are usually saved as hash values. If an attacker gains access to such a password database, it is a matter of time before the hash encryption is cracked. IBM Research has developed a cryptographic protocol for dividing a password into distributed hashes and storing them on multiple servers. To decode the hash of a password, all individual parts are then necessary.

API gateway for secure interfaces

Application programming interfaces (APIs) are the pillars of modern applications and services. These interfaces expose data beyond company boundaries to the Internet, where customers can access it. Protection is therefore necessary, not only against conventional attacks via the web, but also against API-specific attacks. With an API gateway, JSON schemas and Open API specifications can be enforced. All API calls that do not correspond to this will be rejected. Dashboards and reporting provide an overview of all API access, show attempted attacks and violations of specifications, identify performance problems and make errors in the backend visible. Access logs to API calls can be forwarded to subsystems and thus serve as the basis for monetizing access, for example.

Identity and Access Management

Identity and Access Management (IAM) has the task of authenticating users and transmitting the information to the appropriate application. In order not to be dependent on a method, a strong two-factor authentication is recommended. This can even be implemented in applications that do not actually support this. One example is Microsoft Sharepoint, which works with a user name and password. The IAM nevertheless enables two-factor authentication by querying a second factor and transmitting the established identity to the application. Users also benefit from a single sign-on: depending on where an access is directed, the identity of the authenticated user can be represented differently. The IAM serves as a kind of identity switch. In addition, the situation of access – at work, from home or on the go – and the history of a user can be taken into account. BYOI (Bring Your Own Identity) is used when users bring their identities with them for external access. You use existing accounts from social networks such as Facebook, Google or Twitter to access services. With a second factor, such a social login can be expanded to a highly authenticated login.

Please follow and like us: