Hackers are targeting your HR apps. How do you stop them? Set priorities.
To do so, you have to catalog what you have (and therefore what you need to protect). You have to figure out which ‘attack surfaces’ stand out to hackers looking to get inside your HR information system – and you have to use the right tools to keep attackers out.
Fortunately, all that is possible. It just takes some time, effort, and, yes, investment.
Web apps are the most popular attack surface
There’s no mystery about hackers’ favorite attack surface. As multiple reports on data breaches have found, web applications are at the top.
In Forrester’s The State of Application Security 2019, author Amy DeMartine opens with this declaration: “Application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks.”
According to SAP, 84% of cyberattacks happen on the application layer, making it the No. 1 attack surface for hackers.
Insecure web apps open the door to hackers
There should be no mystery about why web apps are a target either. If attackers can exploit a web application vulnerability, they have potentially unlimited access.
“Malicious attackers who exploit an application through a vulnerability or weakness will also have access to the data that application has access to, no matter what data security or network protections you may have in place,” DeMartine wrote in the report.
Of course, every business with an online presence has web applications, including those used for HR tasks. Those apps are built with software. And software, hackers know, is rarely perfect. They also know that even when patches are issued for bugs or other vulnerabilities, not every organisation installs them.
Perhaps the most notorious example of the past several years — the 2017 breach of credit reporting giant Equifax, which compromised the personal and financial information of about 147 million people — was made possible because the company failed to install a two-month-old patch for a vulnerability in Apache Struts, a popular open source web framework.
But even that wasn’t enough to get companies to pay attention. As the 2018 Synopsys Open Source Security and Risk Analysis (OSSRA) report showed nine months later, a third of audited codebases containing Apache Struts were still vulnerable to the same issue that affected Equifax.
How to protect your HR web apps from hackers
So the priority is obvious: Protect your web applications.
There are ways to do that — the key word is “ways.” There is not one way to do it. Don’t fall for any pitch that says if you employ this magical “all-in-one” tool, your applications will be safe.
Nothing in life, or online, is completely secure. But with the right set of tools, deployed throughout the software development life cycle, you can be confident that your web apps are protected from all but the most motivated and expert hackers.
Know what’s in your code with software composition analysis
To start, it helps to know what software components you’re using and where they came from. While most organisations create proprietary software, virtually all — 99% according to the OSSRA — also use open source.
Nothing wrong with that — open source helps reduce the time and expense of application development. It provides ready-made “raw materials,” so developers don’t have to reinvent the basics every time they create a new app.
But open source is no more (or less) secure than other software, and it also comes with licensing requirements. That means organizations that don’t keep track of what they’re using could miss notifications that there are patches available for known vulnerabilities. And they could get in legal trouble for open source license violations.
The way to avoid all that is with software composition analysis (SCA). SCA allows you to manage your open source security and license compliance risks through automated analysis and policy enforcement.
And it’s important to move SCA earlier in the software development life cycle. It makes fixing those problems easier, faster, and cheaper.
Find and fix web app security issues
Other tools that should be part of the software development life cycle include these:
- SAST (static application security testing) helps find and fix security and quality weaknesses in proprietary code during development. The Forrester report noted above found that an increasing number of firms “are more likely to implement SAST in the development phase. With new tools that allow developers the ability to ‘spell-check’ their code in their IDEs, security pros can help deliver remediation advice to developers at the cheapest and easiest-to-fix stage of the SDLC.”
- DAST (dynamic application security testing) tests running applications in an environment that mimics production.
- IAST (interactive application security testing) helps identify and verify vulnerabilities and sensitive-data leakage with automated testing of running applications.
- Penetration testing is intended for the end of development, presumably after most vulnerabilities have been caught and fixed. It focuses on exploratory risk analysis and business logic by finding vulnerabilities in web applications and services and trying to exploit them.
Deploying a variety of application security testing tools may seem daunting, and development teams fear it will slow them down. But the truth is that finding and fixing vulnerabilities earlier in the software development life cycle is easier and less expensive overall.
Taylor Armerding is a security expert at Synopsys Software Integrity Group