Back to Blog Home

Keeping Intruders Out of Your Web Apps

This is the first installment in a three-part security series by OnX Director of Product Management, Chris Munoz.

Intruders love to attack web applications. Why? Because lots of web apps are designed to do a specific job quickly and efficiently — and start paying off as soon as possible.

The sad truth is that too many times, security takes a back seat in the get-it-up-now world of web app development, especially when we’re talking about custom code rather than commercial software. Hackers know this, so they do everything they can to exploit vulnerabilities in web apps.

A web application exposes your network to the public internet. If you don’t harden your web apps, you’re basically leaving the front door unlocked and inviting the world in. The world is full of great people, of course, but often the ones who want into your network are precisely the ones you want to keep out.

Here are some of the keys to keeping intruders out of your web apps:

Understand the Key Web App Attack Vectors

Start by familiarizing yourself with hackers’ favorite ways into apps, such as:

  • SQL injections
  • Cross-site scripting (XSS)
  • Denial of service (DoS) attacks

There are many more, of course, and new ones are being dreamed up every day. Make sure your security team stays abreast of all of these and understands exactly how they are used.

Bake Security Into Your Web App Development

With developers focused intently on the functionality of an app, security is often an afterthought in the development process. A web app can have a security hole as basic as leaving login credentials in default mode during development, so developers aren’t stuck logging in all the time to make minor code tweaks. If the app goes public that way and hackers find out about it, it’s like turning the Pirates of the Caribbean loose in your network.

Before an app goes live, blast it eight ways to Sunday with common intrusion techniques, and then test it some more when it goes live. Never underestimate hackers’ ability to find gaps in your web apps. They know the gaps are there if they keep looking long and hard enough.

The longer you delay them, the more likely they’ll give up and start prowling someone else’s network.

Invest in Intrusion Detection and Logging Technology

Modern intrusion detection software tracks network device logs in real time and flags any anomalies. Most web users do the same things the same way every day, and any unusual traffic usually means somebody is up to no good.

You might notice, for example, a rapid decline in performance on a section of your network. With the right software, you can scan the logs in real time and discover that an intruder is flooding one node on your network with requests: a standard DoS attack profile.

Install a Web Application Firewall

Layer 7, the application layer, really needs its own firewall — separate from the one you install at the network level. Why? Because there are so many attack vectors between the network and app layers that you really need to move your attention further up the infrastructure stack to secure everything.

A web application firewall (WAF), working in tandem with intrusion detection and log management, can block certain kinds of traffic based on specific traffic patterns that crop up only with layer 7 attacks.

Outsource to Security Experts

The above barely scratches the surface of web application vulnerabilities. You can have a WAF optimized to perfection, deploy state-of-the intrusion detection and real-time logging, and still get hacked.

If web apps go live with an easy-to-exploit security hole, hackers can stroll right past your intrusion detection and WAF because their traffic will look like everybody else’s and won’t send up any red flags to block it.

With security, the key is to have people who devote their lives to doing nothing but foiling hackers and securing systems. Because attack vectors change daily, it’s important to watch zealously for the latest attacks and get systems patched. And it’s about creating so many hurdles for hackers that they get fed up and look elsewhere.

Going with a trusted Managed Security Services Provider (MSSP) can give you this protection while freeing up IT people to focus on your core business. At the end of the day, there is no simple cure-all for security. Effective protection is a 24×7 job. Successful organizations implement their programs proactively using the best technologies, skill sets and processes available from the industry experts.

Accelerate Your Success

Let us help you get started with the free guide 10 Ways to Achieve Your IT Goals and Accelerate Success. It will take you through everything you need to put you in the lead.