In a world that is completely interconnected via the internet the operations of web servers, websites, and web applications are ubiquitous in almost every corporate sector on the planet. As web applications become more numerous and dynamic websites increase in number, security concerns associated with web applications also escalate. With online businesses utilizing web applications as one of the primary methods of interaction with consumers, the growing trend of businesses using web applications is likely to continue. Statistics constantly show a rapid increase in the online purchases of goods in the US - Mintel notes in its 2015 survey that nearly 70 percent of Americans use online websites to shop on a regular basis. Yet website breaches and hacks have become very commonplace, and often cost companies millions of dollars in damage.
Ponemon Institute asserts that 45 percent of breaches exceed $500,000 in losses. Furthermore, the International Data Corporation predicted that companies would begin to use web applications for more than just direct communications regarding transactions, but would also increasingly use web apps for marketing, customer service, and the sharing of other significant information. The use of web applications for integral business operations makes them a prime target for hackers and cyber-attackers. Suitable risk management and security assessment programs must be adopted to protect businesses from the offensive fronts that could jeopardize one of the main online functions of their corporate infrastructure. The attack surfaces associated with web applications must be understood and all possible attack vectors must be analyzed and mitigated. Mobile applications and web applications share many characteristics both in their engineering architecture and in their security needs. These similarities include programming languages used for development and security flaws present in both, such as weak encryption ciphers, code injection security holes, and more. However, from a security perspective, the two types of apps differ in significant ways.
Web applications are often linked directly to important back-end database servers, which can often be accessed in an unauthorized manner using SQL injection (SQLi) attacks. HTML files located on a web server within a DMZ, however, are often protected with a Web Application Firewall (WAF), along with a Network Intrusion Detection System (IDS), and Network Firewalls. Even with such protection a website often provides a direct access interface for hackers to inject code in order to manipulate fields, bypass authentication, and inject reverse shells, rootkits, and backdoors.
Due to being website-oriented web applications operate via a web browser, require an internet connection, and are cross-platform. Consequently, web applications often offer a means for an attacker to potentially compromise all web platforms at once, versus the necessity to compromise a native mobile app on different platforms individually which requires understanding the OS for which the app is built and the different programming language used for each platform. Mobile applications are often network-oriented, but do not necessarily require network connectivity. In addition to this, native mobile apps are generally written in an OS-specific language, such as Java for Android and Objective-C/Swift for iOS.
Storage of data on the client-side, the types of back-end APIs, access to core device functionality, etc. make mobile apps different than web apps, and present different security challenges to engineers. Though web applications are often optimized for mobile formats, when a web application is compromised it often can lead to the compromising of more back-end servers and systems, while compromising a mobile app can mean access to multiple critical infrastructures including back-end network systems, mobile device functions, proprietary code, and more. The risks and threats associated with mobile apps and web apps are thus different, and must be assessed differently based on an intimate understanding of the attack vectors and potential vulnerabilities tied to both.
Each unique framework and programming language used for web application development may potentially result in additional security vulnerabilities being present. As estimated by the International Data Corporation in 2011, a minimum of 80 percent of web applications have one or more high-risk vulnerabilities written into the code that result in inherent security holes that can be exploited. In addition to this, according to the Website Security Statistics Report, from 2012 to 2014 there was a shift in application vulnerability likelihood, with 2012 revealing a 58 percent and 55 percent likelihood for apps to have information leakage or XSS respectively, and 2014 showing a 70 percent likelihood for apps to have Insufficient Transport Layer protection. Web application security testing requires a variety of methods in order to fully identify all potential flaws. These methods include:
• Dynamic application security testing • Manual penetration testing • Static source code security analysis