It’s been an eventful few months in terms of sizable cyberattacks. First, we had the SolarWinds hack, then the Colonial Pipeline ransomware attack made cybersecurity acutely real for millions of people in the U.S. Most recently, the Kaseya ransomware attack disrupted more than 1,000 businesses over the July 4, 2021 holiday weekend. The sense of vulnerability around the nation’s infrastructure is so intense that it spurred the White House to issue an executive order to drive improvements in the nation’s cybersecurity posture. The order is important guidance for government agencies, the vendors that support them and private sector organizations as a whole.
Under the executive order, the country will be rallying around a single entity called the Cybersecurity and Infrastructure Security Agency (CISA). Formed in 2018, CISA’s mission is to protect the nation’s governmental and private infrastructure from cybersecurity threats. The executive order also emphasizes the need to protect software supply chains and critical software that are able to run with elevated privileges or which controls access to data or operational technology, and calls on the private sector to partner with the government to “foster a more secure cyberspace.”
Of course, no one would argue against securing critical software, but focusing exclusively or disproportionately on it has the potential to leave web application assets—and the organizations that deploy them—largely vulnerable. Web applications present a massive attack surface and even seemingly low-risk applications can serve as a back door for breaches. We saw this with the hack of J.P. Morgan through their corporate challenge road race registration website, which affected 76 million customers.
The risks are significant, and impact organizations of every size. According to the Cloud Security Alliance, the average large enterprise has 946 custom applications deployed, with another 193 in development. And even small companies have many customer web applications: globally, there are an estimated 1.9 billion web applications deployed.
Alarmingly, a study by Immersive Labs and Osterman Research indicates that 81% of developers knowingly push insecure code to production.
Nearly every organization, both private sector and government, has dozens or hundreds of custom web applications deployed or in development, and a huge subset of those applications have vulnerable code. Every organization—and by extension their customers—is at risk.
It’s time to realize that web applications are critical software. The end-to-end security of web applications is just as foundational to improving our national cybersecurity posture as the security of any other type of software or infrastructure. AppSec already spans the entire software life cycle from left (development) to right (deployment). As such, it enables security to find the real vulnerabilities in code, and it empowers Ops to monitor for vulnerabilities introduced to production.
And so, if we are serious about defending our country and citizens against the increasing intensity and breadth of cyberattacks, web application security is crucial. Even seemingly low-risk web applications can lead to serious data breaches, so they should be treated as critical software and assessed for risk potential. Where risks are discovered, organizations should create visibility and oversight to ensure that remediation happens. Then, and only then, can we feel confident that we are poised to defend against the increasingly severe threats from malicious actors.