BY USE CASE
Secure Distributed Work
Understand the OWASP top ten risks to your web apps and SaaS apps, including how to protect your hybrid workforce from new threats.
ARTICLE | 4m read
June 28, 2022
In our age of hybrid work, you always know some of your employees are working remotely. At the same time, you also know both onsite and remote workers depend on web-based applications to be productive wherever they work. With today’s increased reliance on web applications, hackers and bad actors are intensifying attacks on your web apps and APIs. Worse yet, traditional security tools like VPNs are no longer enough to protect your users and data, and onsite firewalls fail to stop zero-day attacks and consistently apply security policies across all environments—placing your business reputation at risk.
This makes it vital you know the latest threats to app security. While beginning with the OWASP Top Ten threats is a good start, keeping ahead of all these new threats and knowing how to defend your applications is not easy. This article will help you understand the most serious risks to web apps and how you can protect your apps and infrastructure to prevent these attacks and enable secure hybrid work.
To properly protect your organization from new threats, it’s important to recognize how the security landscape has changed in the age of hybrid work. In the past, you knew most of your employees were accessing sensitive data and business apps inside your onsite firewall, which made it difficult for hackers to breach your network. When employees did work remotely, requiring a VPN to access your network on IT-managed devices was usually enough to provide an encrypted connection that would protect both personal information and private company data.
Today is a different story. Bot traffic represents about 40% of internet traffic, meaning your business faces automated threats that can attack hybrid workers constantly. 41% of remote workers access confidential information using unsecured apps, which a VPN cannot protect you against. Web application hacks are the main attack vector for hackers, accounting for 80% of related data breaches. These frightening trends make it clear that you need to evolve your application security and access security to best protect hybrid workers. Otherwise you could face a data breach with awful costs to your revenue and brand reputation, in addition to exposing you to significant legal liability.
To update your application security to meet these new threats, start with the three new risk categories that OWASP has added to its application security threat list. The most noteworthy new application threat is insecure application design, which suggests businesses need to become smarter about building security into their applications earlier instead of focusing only on post-production app security. Software and data integrity is another vital new threat category, as the popularity of the CI/CD approach in app development has led to a reliance on unvalidated and risky code or components; the best mitigation strategy is to only use software and libraries from trusted and secure repositories. Server-side request forgery is also predicted to rise as a threat as more web apps make calls for external data, and the best defense is to minimize the type, scope, and amount of requests an application can make.
Beyond these rising threats, it’s also important to review how OWASP has updated its top 10 application security risks since 2021. First, broken access control has risen to the top threat; this risk stems from failing to ensure employees, processes, and devices do not act outside their permissions when using business apps. Identification and authentication failures also remain a significant threat, so pay attention to your access security processes and be sure to require strong, frequently changed passwords and multi-factor authentication. And while app injection attacks are no longer the top risk, it’s still key to have a positive security model that limits which employees, APIs, and processes can run commands against sensitive data.
Considering how many changes to the OWASP list of app security threats are based in authorization and authentication failures, it’s clear the path to tightening application security runs through ensuring secure access for employees wherever they work. This in mind, to ensure an optimal and secure work environment for hybrid workers, 67% of IT leaders are evaluating access security solutions (like zero trust network access) and 58.5% are evaluating app security solutions. One effective application security solution to explore is a web application firewall that can protect your business apps from zero-day attacks wherever remote workers use them.
But while these security solutions are invaluable, protecting your business also depends on effective security practices. For example, the serious risk of cryptographic failure often results from businesses failing to properly implement encryption technology and enforcing encryption for both data at rest and in transit. Moreover, too many businesses store sensitive data long after they actually need it—exposing them to unnecessary risk. Another risky security practice is relying on vulnerable and outdated components inside your applications, so it’s critical to continuously inventory the components in your environments to check for known vulnerabilities.
Protecting your web apps and APIs has never been a simple task. As bad actors step up their efforts to target your applications through your distributed workforce and other weaknesses, the best defense is taking the OWASP top ten list seriously by adopting a layered defense in your application security strategy. This includes protecting your resource layer, control layer, and host layer, but remember that secure hybrid work is also a crucial element—educate your hybrid workers about secure practices and equip them with the right access and application security solutions to keep your business safe.
Security threats are a risk to your entire organization, not simply one department or employee. This in mind, it’s vital to increase the security IQ of every employee in your organization by teaching them how to recognize new threats, leverage the right tools, and make smart decisions. The result is the creation of a thriving security culture where everyone takes responsibility for protecting company data, personal information, and each other.
Learn more about the state of security in our hybrid work world by reading this report.