A report from Acunetix, The Invicti AppSec Indicator, Spring 2021 Edition: Acunetix Web Vulnerability Report, came out with the conclusion that Web Application Security was a victim of the on-going COVID-19 pandemic. The report found that:
- Due to the pandemic, organizations had to redirect their IT resources. With the work from home that was forced on many companies, along with other pandemic forced changes, businesses delayed web application projects. The result was that fewer web applications were updated and/or created. As a result, they introduced fewer vulnerabilities.
- On the other hand, many companies shifted security efforts towards endpoint security for the work from home systems. This in turn meant that security teams had no resources to address many web application security issues, including those that had been discovered in 2019 or earlier.
Based on these two trends, the report concluded that there was a general lack of improvement in the level of web application security. From other reports we know that cyber attacks have increased during the pandemic. Together with the lack of improvement in web application security in organizations, 2020 was a pretty bad year for web application security overall.
Take a Page from NIST to Improve Application Security
There are a number of simple measures an organization can take to improve their web application security stance. First starts at the very beginning of application development, and that’s making sure developers take security into consideration when developing and coding applications. Second, is making sure that software and operating systems are kept up to date, with the latest updates and patches to ensure known vulnerabilities that have patches are not exploited.
In addition to these two fundamental starts to application security, there’s still a need to ensure security for web applications running in production, especially against threats either missed or not typically secured by network or system level security. The OWASP Top 10 Web Application Security Risks are a great example of risks that aren’t typically protected with network or system level security.
It is important to remember to have a security framework that offers a defense-in-depth architecture. Maybe it’s time to take a hint from the recent finalization of the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST) as added layers of security in the framework.
Change how you protect your applications, and check out K2’s web application and application workload security solutions and evaluate K2’s effectiveness at detecting vulnerabilities and protecting your organization from attacks.