Application Security: Data Leakage Prevention

While a huge target for hackers, your web applications do not have to be the weak link in your security defense

What is web application security?

Web application security refers specifically to the security of websites, web applications and web services. It is essentially how you safeguard your company website through detecting, preventing and responding to cyberattacks.

Web applications, such as your company website, are critical touchpoints for customers – a place where they can interact with your brand, product or service. But when it comes to external cyberattacks, your web applications are also your weakest link. Web application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks.

This is confirmed by Verizon’s Data Breach Investigations Report, which states that from an overall data breach perspective, stealing credentials was the most common action by hackers and web applications were the most common vector through which they did it in 2019. This is due in part to hackers re-directing their attacks to ecommerce websites after greater security measures were introduced for physical credit card transactions: “Essentially, web application attacks have punched the time clock and relieved POS Intrusion of their duties,” says Verizon.

The shocking truth is today your website is exposed to hundreds of threats in the form of malicious JavaScript code injections, unsolicited advertising, digital skimming and third-party vulnerabilities, as well as accidental data leakage or non-compliance to strict data protection regulations. Indeed, half of web applications reportedly have access control issues and one third are susceptible to code injection.

How? Typically, an attacker compromises a web application and installs code into the payment application that will capture the customer’s payment card details as they complete their purchases.

An added complication is that activity such as digital skimming (when hackers use malicious code injects to capture website visitor’s payment card details upon checkout) happens at the client-facing side of the website, meaning organizations will often have no awareness that an attack is in progress until it is too late.

Hacked websites can then be used for distributing malware, stealing data, posting unsanctioned ads, committing fraud or even penetrating an internal network.

Third-party data breaches

Third-party breaches account for more than 60 percent all data breaches in the US, according to the Ponemon Institute. Factoring in the multi-year financial fallout from breaches, increased regulation and the complexity of resolving criminal attacks, the average cost of a data breach in the US is now $8.19 million – more than double the worldwide average.

In addition, those breaches originating from a third party can cost companies $370,000 more than average, highlighting the need for organizations to closely vet the security of the companies they do business with, align security standards and actively monitor third-party access.

Why is this important? Web applications like your website can play hosts to dozens or even hundreds of third-party vendors that improve the user experience, facilitate transactions or add functionality in some other way. Time and time again, we have seen global brands suffer website data leakage because hackers have been able to exploit a third-party vulnerability.

With web applications so susceptible to attack, can you afford the long-term financial and reputational damage that losing your customers’ data would cause your business?

Preventing data leakage

In its 2019 report into attacks on web applications, Positive Technologies notes that “across all sectors, the site of any company is at risk every day. To secure resources and safeguard reputation with clients, companies must take preventive measures for protection.”

It might seem daunting, but there are steps you can take to reduce the risk of web application attacks. Analyst Forrester recommends:

• Regularly analyzing your own website scripts throughout the development lifecycle
• Implementing client-side protections such as anti-skimming and malware protection
• Deploying bot management solutions to detect and defend against botnets that result from browser-based attacks

“As attackers focus more on the client side, organizations must consider the impact of script and browser vulnerabilities more broadly. Work the above scenarios into your threat modelling and think about how to best protect your customers and their experiences with your site,” it notes.

This means gaining greater visibility into what is happening on your website in real time. You should know what code is running on your web application – whether it is your own, or from a known or unknown third party – and have the ability to control and limit who has access to what data, in order to prevent leakage.

This is where Ensighten can help. We are experts in client-side security – get in touch to find out how you can prevent a cyberattack on your business.

You are only as strong as your weakest link so make sure your web application is not the weak link in your cyber defenses.