Web App Security: What Is It & Why Does It Matter?

May 29, 2020

Cloud and web applications are frequently and easily confused – sometimes even deliberately by software vendors looking to cash in on the kudos attached to cloud computing these days.

Both are practical examples of remote computing in action, relying on access to data stored in data centres rather than on-premise servers. But a key difference is that cloud applications don’t always need to be connected. They can download the data they need from a remote source, use and process it locally to perform tasks, and then upload it back to the cloud when necessary.

Web applications, on the other hand, need to be online at all times to function. They are designed to use the same architecture as a website, relying on web servers to execute tasks and often running in a web browser on the client side, connecting the two via the public internet. On the one hand, this makes them extremely portable and convenient – you can run a web app any time, any place on any internet-ready device without having to install software directly on the device. This also makes them very ‘lightweight’ for storage purposes.

Millions of businesses all over the world take advantage of these benefits and more, including cost savings, by running web applications for a range of purposes – free-to-use productivity and collaboration tools like Google Apps, web-based email, ecommerce storefronts and shopping carts, digital marketing and data capture tools and so on. In fact, any kind of transaction you can carry out via a web page, whether it is signing up for a newsletter or making a purchase, most likely relies on a web application to function.

Web app security challenges

Continuous connectivity, and the fact that  no security firmware is downloaded onto the device to protect them, makes web apps vulnerable to cybersecurity breaches. As use of web apps has increased, so cybercriminals have stepped up efforts to target them.

It has been reported that a staggering 92% of web applications have security flaws or weaknesses that can be exploited. Nearly half of those vulnerabilities lead to data breaches, exposing businesses to heavy regulatory penalties and reputational damage as well as direct financial losses. Yet despite these risks, approaches to web application security are often sluggish and lax. For example, it takes an average of 38 days for a patch to be run to correct an identified web app vulnerability – despite the average length of time for a patch to be released following identification being just 24 hours.

There are a number of different ways that cybercriminals look to exploit web applications. Hackers may seek to insert malicious scripts into webpages or databases to give them control over apps or allow them to view and steal sensitive information. These approaches include tactics knows as cross-site scripting (XSS) and SQL injection (SQi).

Alternatively, malicious actors might seek to forge or ‘phish’ authentication and authorisation details to give them access to user accounts, again with a view of taking over assets or taking data, or selling them on to other bad actors on the black market. One study found that access details to the websites of nearly three quarters of  FT500 companies could be purchased on the dark web.

Anomalies and corruption in memory can also be exploited to allow malicious code to be injected into sites. And then there is always the risk of a denial-of-service (DoS) attack, which aims to overwhelm the application server and hamper or interrupt normal operation.

The importance of web app security

Web application security matters because of the amount of sensitive information that passes through them. Every log in, every sign up, every purchase, every document saved, all of that transports data over the open internet and stores it on a web server, potentially making it accessible via one of the vulnerabilities listed. That puts firms at huge risk of serious data and privacy breaches, which, as we have noted, in the GDPR era can carry stiff financial penalties.

Key methods of tightening up web app security include deploying web application firewalls, which ward off scripting and forgery attacks at the server side, and utilising web vulnerability scanners, which reveal the kind of weaknesses hackers will look to exploit, hopefully before they do.

But equally, businesses can no longer afford to treat security as an afterthought, as something that can be addressed later once an app is up and running. For organisations developing or customising their own web apps in-house, security should be built in by design from the earliest stages of development, including rigorous testing and analysis of potential weak points.