Top 10 misconceptions about web application security

You think your web/mobile applications are safe? Think again! 10 misconceptions about web application security. Come & Meet us at #CeBIT !

1. Only big companies are threatened by hackers

We cannot even tell you how many times we have heard that. The problem is: hackers do not care about the size of your company. They don’t go around looking for how many employees you have, or what’s your turnover. They seize every opportunity they get. Of course multinationals are more visible thus more susceptible to be hacked. Therefore, they are more prepared and SMEs become easier targets for hackers. One of our client who own a small digital business learned it the hard way when he discovered that all the online payments on his website were hijacked to a foreign bank account.
Moreover, have you ever thought that your competitors could be interested in what you have?

2. I have the best developers on the market

Super developers have to code fast, and deliver both powerful and user-friendly applications. Unfortunately, they are generally not security experts. Building a software and hacking it are two distinct expertise. Hence the crucial importance to test their work – security wise – with a pentest. They will learn from the experience and you can also train them more specifically on the topic.
Let’s put it that way: the finest paintwork will always need a paint coating to protect it.

3. I use robust frameworks, so I’m safe

Robust frameworks do help to build secure code. However this is not just a question of choosing a framework: it is all about how to use the framework properly with regards to security needs. We often see that developers disable some protections that are embedded in the framework because they want to speed up their development process. This is why security testing is always necessary.

hacker picture

4. We don’t collect sensitive data, so why bother?

Sensitive customers’ data are obviously and rightfully one of the main thing to secure on an application. Nevertheless, it is just the tip of the iceberg. Let’s say that you run an Ecommerce website, how would you react if your platform was down for 2 days? Or think about your reputation, even information that many do not consider as « sensitive », are in fact sensitive. I am sure that your clients would not appreciate that their email & passwords leaked on the internet.
On top of that, let’s not forget that many hackers, hack websites in order to use them as zombies for their future attacks, or even worse to use them as hosts for their fraudulent activities. Depending on country’s legislation, companies have a moral, or sometimes legal, obligation to make sure that this does not happen.

5. I pay for a Web Application Firewall, that’s enough

Web Application Firewalls (WAF) do provide a great protection from hackers. However, as effective as they can be, the do not guarantee that your website is absolutely safe. There are especially two major threats: a skilled hacker will always be able to circumvent a WAF, and having a WAF sometimes make companies feel like they don’t have to do worry about security anymore. This can lead to laxity and wrong minded individuals will find a way to exploit that.

6. I did a pentest once, now I’m safe

Technology, just like time, is always moving forward. It will never stay still. Hackers take advantage of that and are usually one step ahead of everyone. For this reason, upgrading the security of your platform should be a continuous process. Moreover, there are always new releases on web / mobile applications, and those modifications deserve to be tested. Each new piece of code that is added can contain new vulnerabilities. Companies that are exposed to a high level of risk usually perform pentests several times a year: for instance each month or each quarter.

7. There is no ROI with security audits

Security audits could be compared to insurance. We all mumbled when we first had to pay our car insurance, but the day someone stole it and drove off, we understood why it was necessary to have one. We can also add that nowadays security concerns are growing amongst the population. Having a certificate to show to the customers that you care about their data is then becoming a comparative advantage. If we want our customer to trust our services, we have to be worthy of that trust.
This is especially valid for B2B: many big companies now include a security dimension in their tenders. Being proactive on digital security can thus increase sales.

8. I don’t have time for a security audit

Deadlines, urgent client enquiries, last minute changes in a web application… The daily routine can indeed be very busy, however conducting a pentest is probably less work than you might believe. During the pentest, you normally don’t have anything to do. After the pentest, you will receive our report with a listing of all the flaws that were found. They will be ranked, and have all the necessary explanations on how to fix them. This allows you to fix the most important flaws right away and it gives you time to fix the rest.

9. Phishing is only for dummies

« Helo Sir. My name is John Goodman, I am a proffessional lawyer at law. I am sorry to anounce you that the uncle of your great grand father dieded this weekend. You are his only heir, hence inheritin his 500.000.000$ fortunes. Too claim your heritage please send me a first transfer of 300,00$ on the followings bank detail to pay the legal fee… »
We have all received multiple emails like this one. And yes, they are obvious to spot. But phishing can be done in a much smarter way.
With social engineering attacks, a hacker can obtain information that will grant him access to your back office or even your internal network and steal a lot of confidential data. For instance, when attacking an accommodation booking website, hackers will target the customer’s service where the employees can have access to many information, but often have poor security training. Many companies fall in the trap, but the risk can be significantly reduced with process improvement and efficient staff training. For these reasons, conducting social engineering campaigns to train your staff on this topic is also crucial.

10. It’s overpriced anyway

Security audits do have a price. However, if the work is done properly and if the audit is adapted to the level of risks of your platform, then you should consider it as an investment rather than as an expenditure amongst others. The idea of having a security audit that suits your needs and therefore a price that is also adapted to your situation is crucial. It is obvious that depending on your activities, you might not need the same security level as the NSA.
At Vaadata we are used to work with start-ups that do not have an extensive budget for cybersecurity. We offer them an affordable service that can even have a variable price, indexed on the number of flaws that we find.