Web applications are some of the most powerful tools an organization can have, but they also create a massive threat surface for the organization. Web apps are designed to expose protected functionality to authorized users via the Internet but also need to block unauthorized attackers from gaining access. The Internet exposure of these assets and the valuable data that they protect make web application security a priority for any organization.
The problem with web application security is that it is a very wide field with a variety of different attack vectors to consider. Some of the obvious threats include the attack vectors in the OWASP Top Ten List and exploitation of other vulnerabilities that may exist in the application’s code.
While hardening the software against attack by unauthorized users is important, it isn’t enough. While users may be trusted not to be malicious, history has shown that they can’t be trusted to be secure. The rash of recent data breaches has provided a large amount of data that paints an unflattering picture regarding users’ ability to securely manage their own login credentials. And a poor password used in a web application can allow a hacker access as an “authorized” user of the system.
The Real Problem with Passwords
The reasons that passwords are so popular are they work, and they make sense. Logically, if the only person with access to a password is an authorized user of the system, then using it to manage access makes sense. Also, since people can understand passwords and how they work, they’re more likely to use password-based systems than more complicated (but possibly also more secure) options. The problem with passwords is that security is directly opposed to usability and scalability. It’s relatively easy for someone to remember one password that is sufficiently long and complex that a hacker can’t crack it.
However, 70% of people have more than ten accounts that require a password, and 29% have “too many to count.” Remembering ten strong, unique passwords is already a challenge, and the problem only grows as more accounts are added. As a result, people commonly misuse passwords. While applications may have password length and strength requirements, these are circumvented by users who create seemingly complex but actually weak passwords. Users will also reuse the same password across multiple accounts. As a result, a breach of one password may compromise many different online accounts.
Web Login Insecurity
The risks associated with weak password and password reuse have become real with the rise of data breaches in recent years. Most of these incidents include the breach of authentication information.
While the authentication information lost in breaches is usually well-protected with strong hash functions, this has a limited effect. If a password is easily guessable, then the strong protections used by the company have no impact. Alternatively, a stronger password reused over multiple accounts may provide sufficient payoff to be worth the additional time spent cracking it.
Once a password is cracked, it can be used in credential stuffing attacks, where hackers try breached or common passwords on a variety of different sites. Ideally, these sites would be immune to this type of attack since users should change their reused passwords after being notified of a breach. However, this is not only the case. In fact, recent research by Google has determined that 1.5% of legitimate logins to websites are using usernames and passwords that were exposed in a breach. Google was able to test for this by observing new logins by users and testing if the provided password matches the information exposed in the breach.
How to Protect Web Applications
The number of web logins that use compromised credentials is a serious threat to web application security. While an organization may know if their own systems were breached, they may not have the same level of insight into other breaches. An individual who uses the same password for a breached site and the organization’s website may expose the organization to credential stuffing attacks.
The threat of credential stuffing and similar attacks demonstrates that web application security is not limited to fixing bugs in an organization’s own code. To be secure, a company also needs to deploy security solutions capable of detecting and blocking attacks that leverage a customer’s inability to protect their authentication information.
An advanced Web Application Firewall (WAF) is a good solution for dealing with the threat of breached credentials for external sites. State-of-the-art WAFs can monitor traffic to the website and look for anomalies in behavior, even of authenticated users. Since an attacker is unlikely to take the same actions on the site as a legitimate user, monitoring the behavior of authenticated users may enable an organization to detect and block an attacker using stolen credentials.
Organizations should also consider the use of multi-factor authentication (MFA) for both internal and external webpages to help protect against the impacts of stolen credentials. MFA requires more than just a password to authenticate, making passwords stolen in a breach useless to an attacker. A security solution that allows scalable rollout of MFA to both internal and external sites can be a crucial component of an organization’s application security plan.