A cyberattack against an organization’s web presence can have significant business impacts. These can range from a Distributed Denial of Service (DDoS) attack creating site lag that drives customers to more responsive sites to data skimming malware designed to steal payment card information.
Securing an organization’s website requires securing the web applications that run on it. However, this can be more difficult that it would seem. The modern web application isn’t written using fully in-house code. Instead, web developers take advantage of a wide range of third-party code and libraries to speed development and implement complex functionality. A great deal of this code is high-quality and has undergone peer review for functionality and security; however, not all open source code is created equal.
The Growth of Third-Party Dependencies
Most organizations use JavaScript on their website. The programming language allows their web pages to be much more flexible and interactive for their customers. In the modern world, where an organization’s web presence is the primary point of contact between a company and its customers, a well-designed website can be a crucial factor in landing a sale.
However, most organizations don’t write every piece of code on their website. A widely-used JavaScript package ecosystem, npm, is used by every one of the Fortune 500 companies – and many others as well. The ecosystem contains a wide range of open-source libraries built by millions of developers and made available for public use. The appeal of open-source code on npm – and other open-source code repositories – is simple. Any third-party code that a program imports as a dependency is code that the organization doesn’t have to write itself. In a competitive landscape, this faster time to product can have a significant impact upon sales.
As a result, the average web application contains 1,000 different dependencies on external code. And the spread of dependencies doesn’t stop there. Each of these dependencies contains an average of 80 dependencies of its own. As a result, a web application’s attack surface is much greater than the little bit of code written in-house.
The Supply Chain Security Problem
The average web application has at least a thousand dependencies on third-party code. Each of these dependencies represents a potential security threat to the organization’s web presence. Any bugs and vulnerabilities contained within these libraries can also affect the security of the web application using them. The security and code quality of libraries contained in npm and similar open source repositories varies greatly. Some code on the site is developed as part of projects maintained by large organizations with strict code quality and security review policies. Others may be developed by individual contributors who perform little or no review of source code.
In order to be secure, an organization needs to manage the security of all the code that it uses, both in-house and third-party. However, the sheer amount of code that the average web application depends upon can make this difficult or impossible. The organization’s security team would need to perform a comprehensive security review of every line of code in every dependency used by a web application.
In reality, only 40% of developers perform this type of security check – which is called software composition analysis (SCA) – at all, let alone testing every piece of code in use. As a result, most organizations are largely unaware of the potential threats to their web application security.
Managing the Web Application Supply Chain
The need to meet swift release deadlines and operate in a fast-moving and competitive environment has driven many organizations to take advantage of third-party libraries and open source code during their development process.
While the use of existing code can speed up development and even provide higher quality code than can be produced in-house, not all open source code is created equal. While some libraries are produced by organizations with formal software development and review policies in place, others are created by individual contributors with little or no oversight.
Regardless of the source, these third-party libraries can contain bugs or exploitable vulnerabilities. These vulnerabilities then transfer to the software that depends upon it, making it vulnerable to attack.
For many organizations, performing a comprehensive code review of their code dependencies is not feasible. Achieving a reasonable level of website security requires an alternative approach.
By deploying solutions that are capable of identifying and blocking attempted exploits of their web applications, organizations can protect their web presence from attack. A strong web application firewall (WAF) is a good choice for general protection of an organization’s web presence. With a robust set of built-in detection algorithms, a WAF can protect against common web-based attacks like cross-site scripting and buffer overflows.
Some applications may require more specialized protection, tailored to applications that process sensitive data. For these solutions, runtime application self-protection (RASP) is a good choice. A RASP solution monitors an application’s inputs, outputs, and behavior for any anomalies that may indicate an attack.
Comments
Post a Comment