How secure are web apps and can you ever rely on them for safe data storage?
Today, many tech experts believe progressive web apps are the future of web design. Some even suggest those will eventually replace native apps developed specifically for one mobile platform. However, as everything that comes from the Internet, web apps bring out security concerns.
What’s a web app?
A web app is application software that runs on a web server. From the tech point of view, it is not a real application but rather a website. Yet, it is interactive and responsive in a way similar to native apps.
Unlike computer- or mobile-based software programs that are run locally on the operating system (OS) of the device, web apps are not designed to be specifically compatible with certain systems. They have a universal character and can be used with any OS. That doesn’t mean they are perfectly optimised for each operating system though. Web applications are accessed by users through a web browser with an active network connection. Another condition for successful access is that a web app should support a certain browser. If your web browser is not supported, a web application might hang or crash.
Recently, the term “progressive web apps” (PWA) pops out in tech discourse more and more often. PWA is intended to work on any platform that uses a standards-compliant browser, including both desktop and mobile devices. This app is typically cached on your device so it has some sort of offline functionality. PWAs can support push notifications and other background functions thanks to a new web technology called “service workers.” Service workers can cache new content and synchronise local changes to a remote server. That makes progressive web apps up-to-date like a typical website, while they also remain responsive as a native app. Companies that substitute mobile websites with PWAs will tremendously improve user experience and increase conversion rates.
Web applications include online forms, shopping carts, word processors, spreadsheets, video and photo editing, file conversion, file scanning, and email programs such as Gmail, Yahoo and AOL. Popular applications include Google Apps and Microsoft 365 collections. Facebook, YouTube and Twitter are also dynamic web apps built for user engagement.
Web app security
Web applications are accessible over the web and HTTP protocol. They present more security challenges than desktop applications, which are less exposed to cybercriminals and typically have their own unique file formats that are harder to crack. In addition, most web apps function in the cloud environment which has its own set of security vulnerabilities.
Web application security is a core component of any web-based business. Attacks against web apps have various forms and present numerous dangers to the business. They may include targeted database manipulation, network disruption, cross-site scripting, modification or creation of new user permissions, memory corruption, cross-site request forgery, and more.
To prevent all those hazards, web apps use up-to-date encryption, proper authentication, and continuous patching of discovered vulnerabilities. Web application firewall helps to protect a web app against malicious HTTP traffic. It also bridges the gap in time between vulnerability detection and patching. DDoS attacks are prevented through a variety of strategies including AI algorithms.
However, those tools won’t help if web app developers don’t maintain security principles while working on their products. If they develop code without security in mind, vulnerabilities are inevitable. The problem is developers are generally not security experts. They may make mistakes and miss important security details. For instance, developers often forget to set secure and HttpOnly flags on web app cookies bearing sensitive information. Meanwhile, 92% of organisations are excluding security teams from CI/CD workflows. That means continuous automation and monitoring of new code may be happening without critical security-related insights.
The 2020-2021 State of Web Application Security Report from cybersecurity vendor Radware showed that web apps are constantly targeted by hackers. Namely, 98% of respondents said their apps were subject to an attack in 2020. Whereas 70% of apps are hosted in the cloud, only 27% of IT security decision-makers completely trust the security of their public cloud platforms.
Web applications represented 39% of all data breaches in 2020, with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report. Similar to previous years, human negligence was the biggest threat to cybersecurity. Sadly, 85% of breaches involved a human element.
Other research from Imperva’s Security Labs estimated that nearly 50% of data breaches over the past several years originated at the web application layer. At the same time, the number of new API vulnerabilities grew by 4% in 2020. This happens as web application environments become more complex. They add multiple first and third-party APIs to improve user experience and functionality. Each part of the software development lifecycle interacts with various data stores to enable real-time results. This scenario also multiplies potential data security hazards and access points attackers may compromise.
In addition, web apps encryption still leaves some vulnerabilities. The encryption key security in web apps is currently very limited. Since most browsers do not have access to built-in hardware-based technologies, key management features are scarce. Web crypto APIs are often complicated to set up and use and do not directly support any key-storage mechanism.
Bottom line is that most web apps now have a range of safety issues. They lack full visibility and real-time monitoring of all their components. They operate in a cloud environment which is hard to audit. They have multiple access points and often inadequate security controls. The applicable encryption methods lack key management features. Moreover, application development, integration and deployment, and data security are managed by separate teams. Finally, there remains a human factor which is the major determinant in all data breaches.
Most probably, web apps can never be 100% secure. Nevertheless, there are some strategies that will increase data and app safety.
- Safety experts must closely cooperate with developers at all lifecycle stages.
- Besides coding, developers should also be well-educated about cybersecurity.
- Web apps should incorporate multiple authentication factors, preferably those that don’t involve manual data entry (random one-time generated passcodes, biometrics, etc).
- Requests and responses between the browser and the server must be encrypted. Encryption data and the cryptographic keys should be safely and properly stored.
- Advanced white-box cryptographic solutions are integrated. They combine methods of encryption and obfuscation to embed secret keys within application code.
- Mitigate the human factors of cybersecurity breaches by automated compliance applications, automated data entry and management, AI, etc.
- Educate employees accessing the web app from the back end about social engineering and other fraudulent hacking techniques.
- Ensure that important back-end processes like installing software or third-party APIs are controlled by administrators with strong security knowledge.
- Protect not just the app itself, but also the hardware and network it operates in.
- Make sure the connected third-party services and APIs are provided by reliable partners and have limited permissions.