We spent last week hearing from experts around the globe discussing what web application security insights we have gotten from Verizon's 2016 Data Breach Investigations Report. Thank you, Verizon, and all of your partners for giving us a lot to think about!
We also polled our robust Rapid7 Community asking them what they have learned from the 2016 DBIR. We wanted to share some of their comments as well:
Quick Insights from the Rapid7 Community
>"The internet is evolving, and greater complexity creates greater risk by introducing new potential attack vectors. Attackers aren't always after data when targeting a web application. Frequently sites are re-purposed to host malware or as a platform for a phishing campaign. Website defacements are still prevalent, accounting for roughly half of the reported incidents."
"I find that the Verizon Data Breach Investigation Report is a good indication of the current environment when it comes to the threat climate - I use it to prioritize what areas and scenarios I spend the most time focusing resources upon. For my environment, the continued shrinking of time between vulnerability disclosure and exploit is very important. For offices like mine with a small staff, identifying and applying patches in an ever more strategic manner is key. I think vendors who successfully market intelligent heterogeneous automated patching systems will start to see big gains in sales. And those that can tie it to scanning/compliance/reporting/attack suites are going to be even better positioned in the market."
Scott Meyer, Sr. Systems Engineer at United States Coast guard
>"Train, train, and retrain your users. Use proper coding. Really, we still fall victim to SQLi? Two factor authentication is still king. Limit download to x to prevent complete data exfiltration"
Steven Maske, Sr. Security Engineer
Jack Voth, Sr. Director of Information Technology at Algenol Biotech
Lessons Learned from the 2016 Verizon Data Breach Report
|Learning from DBIR||Strategies to Implement|
|1. Web application attacks are a primary vector.||• Start security testing your applications today.|
|2. No industry is immune, but some are more affected than others.||
• Focus on the attack patterns that your industry is experiencing.
• Know your enemy's motivation.
|3. Unvalidated inputs continue to plague our web applications.||
• Validate your inputs.
• Train and retrain your developers.
• Keep in mind that software security issues are software defects
• Conduct regular dynamic application security testing (DAST) assessments to find unvalidated inputs
|4. Web applications are evolving and so should your application security program.||
• Make sure your skills and tools are up to snuff with the latest dynamic and complex applications.
• Ask your vendors if their tools handle Dynamic clients, RESTful APIs and Single Page Applications. Learn why this is important and what questions you need to ask vendors in this quick video.
|5. Different industries have different enemies.||• Know who and what you are defending against. Grudge or Money?|
|6. There are so many free and fabulous resources. Use them!||• Get involved with OWASP today!|
How Rapid7 Can Help
Rapid7's AppSpider, a Dynamic Application Security Testing (DAST) solution finds real-world vulnerabilities in your applications from the outside in, just as an attacker would. AppSpider goes beyond basic testing by enabling you to build a truly scalable web application security program. You can watch an on-demand demo of AppSpider here if you are interested in learning more.
Deeper application coverage
The AppSpider development team keeps up with evolving web application technologies so that you don't have to. From AJAX and REST APIs to Single Page Applications, we're committed to making sure that AppSpider assesses as much of your applications as is possible, so that you can rely on AppSpider to find unvalidated inputs and a host of other vulnerabilities in your modern web applications. View our quick video to learn how to achieve deeper web application coverage with your web app scanner.
Breadth of web app attack types
From unvalidated inputs to information disclosure, with more than 50 different, we've got you covered. AppSpider goes way beyond the OWASP Top 10 attack types, including SQL Injection and Cross Site Scripting (XSS) - we test for every custom attack pattern that can be tested by software. This leaves your team more time and budget to test the attack types that require humanlike business logic testing.
Application security program scalability
AppSpider is designed to help you scale your application security testing program so that you can conduct regular testing across hundreds or thousands of applications throughout the software development lifecycle.
Dynamic Application Security Testing (DAST) earlier in the SDLC
AppSpider comes with a host of integrations that enable you to drive application security earlier into the SDLC through Continuous Integration (like Jenkins), issue tracking (like Jira) and browser integration testing (like Selenium). Our customers are successfully collaborating with their developers and building dynamic application security testing earlier into the SDLC.
You may also be interested in these blog posts that also offer perspective on the 2016 Verizon DBIR: