SafetyDetectives had the chance to talk to John Delaroderie Director of Product Management for Web Application Security at Qualys, the company behind the SSL Labs site, an industry standard tool for judging website security, and cloud security partner of Amazon Web Services, Microsoft Azure and the Google Cloud Platform
As a recognized expert in web application and API vulnerabilities with 9 years of experience building successful AppSec programs, John was the right guy to ask about the current trends in web applications security, and what companies can do to secure their websites and online applications.
What is web application security and why is it crucial nowadays?
Web application security is protecting web applications against attacks to the confidentiality, integrity, or availability of web applications and their resources. It begins with designing and building secure applications, but also includes maintaining, protecting, and testing web applications for vulnerabilities like cross-site scripting (XSS), SQL injection, and other security misconfigurations.
The custom nature of modern applications can add significantly to the complexity of web application security. Malicious actors will attempt to leverage these vulnerabilities for a variety of goals – from impacting site visitors to financial theft to data breaches.
What do Qualys and the SSL Labs do in that regard?
Qualys Web Application Security (WAS) is an industry leading Dynamic Application Security Testing (DAST) tool, capable of identifying runtime vulnerabilities in web applications, as well as APIs, using the same methodology used by malicious actors. In addition to vulnerability scanning, WAS offers comprehensive discovery of internal, external, and previously unknown web applications, identification of PII collection and exposures, consolidation of third party testing tools, identification of web malware, and integrations into CICD pipelines and ticketing systems. WAS can also identify SSL/TLS and certificate issues for web applications.
Additionally, Qualys offers SSL Labs, a free online resource for customers to test their applications for SSL/TLS and certificate issues on publicly facing web servers.
What are the most common Web Application Security Threats in 2023?
Last year, we aggregated anonymous vulnerability scan information for 370,000 web applications that were scanned by Qualys WAS in 2022. These results were shared with the Qualys TruRisk Research Report, which revealed the following number of web application vulnerabilities mapped to the OWASP Top 10 categories:
- 8.5 million Security Misconfigurations (A05)
- 7 million Cryptographic vulnerabilities (A02)
- 5 million Access Control vulnerabilities (A01)
- 4 million Injection Vulnerabilities (A03)
While this report was gathered with scans performed throughout 2022, my expectation is that security misconfigurations (OWASP Top 10 Category A05) will again be the most common threat to web applications in 2023.
What are Security misconfigurations?
Security misconfigurations are vulnerabilities caused by inappropriate configurations of the security controls of an application, website, or server. They can allow unauthorized access to networks, systems, and data.
How can web teams improve those security processes and secure their sites/apps?
There are lots of things web teams can do, but to keep this concise, here is what I think is most important. Web teams need to see web application security not as a blocker, but a feature they are developing for their applications. It is their responsibility to include secure features, not just building code. This begins by bringing security experts into the design phase to teach developers how to threat model.
Threat modeling will improve the overall security of their applications by helping them to identify the goals that malicious actors have when they attack applications, as well as promoting critical thinking around how the system could be abused. By encouraging developers to think like attackers, it helps them understand why security teams think the way they do. At the same time, security teams should try and limit threat modeling as the only new process they introduce outside the software development lifecycle..
As much as possible, implement security inside already established workflows by integrating at the API level. Creating a new workflow or process for development teams only creates resistance and frustration. This also applies to scans in production as well. Security integrations into DevOps frameworks, like ADO or Jenkins, will work best when they require the least amount of work to adopt.
5 elements that any organization should build into their workflows:
- Integrate security testing into your software design phase – build applications you can test and test applications you build. This avoids problems being found later.
- Empower developers to become security champions, and provide them with autonomy and ownership in engineering. This feeling of ownership is better than feeling responsible alone, and it can lead to profound changes in application security programs.
- Automated scanners and manual penetration testing are complementary. Each approach has its own strengths and weaknesses that can be leveraged to improve the overall success of an application security program.
- Remediation beats obfuscation. Web Application Firewalls (WAFs) can be bypassed and should not be viewed as a long term solution to keeping web applications secure. Preventing issues is much more effective.
- Fight the battles worth winning. When resources are limited, you have to prioritize issues that need to be fixed based on risk. Being realistic makes it clear that you have everyone’s goals and capacity in mind, so you can develop that collaboration and unity over time.
For the security team, think about how you work with your developers. Sending the web team a 100 page scan report will do little to garner enthusiasm or empower developers. Instead, turn those scan results automatically into tickets for remediation, whether in JIRA or ServiceNow or some other ticketing system, and then apply prioritization on them so that developers know which ones are critical and timely, and which ones are lower priority. This will lower resistance and make it easier to get security viewed as a feature developers are responsible for in their web applications. It also makes it clear how much work it takes to clear up issues, compared to adopting secure software development practices right at the start.
The most successful web application security programs are the ones where the developers and security teams are in alignment with their goals, so bridging the divide between the two teams is critical. Running events like workshops, team-of-team sessions and individual collaborations will help make everyone feel like they are working to the same goal, and this can help achieve the security goals of the organization and improve overall security.
Qualys runs SSL Labs – are there any trends in the SSL Labs data that you can tell us about?
SSL Labs continuously monitors the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled websites based on Alexa’s list of the most popular sites in the world.
What are SSL and TLS certificates
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols used to create secure connections between a client and a server in order to ensure the confidentiality and integrity of network traffic. While we still use the terms SSL/TLS, it is important to note that SSL was officially deprecated in 2015 in favor of TLS.
SSL Labs assigns a letter grade (A – F) to each site based on a number of factors, to include certificate chains, cipher strength, strict transport security, protocol support, key exchange strength, and many more.
The below table compares the sites scores over the past 4 years:
💡 Takeaways:
- While the specific sites surveyed (the top 150,000 most popular globally) may have fluctuated a bit in this time span, we have seen an overall improvement in SSL / TLS scores.
- Sites receiving a score of “A” have increased by over 80% in the past 4 years while all other scores are decreasing. This signifies many organizations are taking SSL / TLS issues seriously and are applying correct implementations in their deployment.
- Having this data available shows the wider web development community that security is something that everyone can achieve, and while it might need effort, it is essential to work toward this goal.