Web applications are widespread, and the majority rely on proven open source components such as OpenSSL, the Spring Framework or projects from the Apache Software Foundation. As these are developed by a large community and are a component of numerous applications, they are considered to be predominantly secure. Nevertheless, IT security is a process and what was once secure does not automatically remain secure indefinitely. Occasionally, security flaws occur even in the widely used frameworks. Once these have been discovered, they are usually assigned a unique CVE (Common Vulnerabilities and Exposures) ID and made public (e.g. CVE-2017-5638 for the Apache Struts2 vulnerability published in March 2017). At the same time, as part of the publication, appropriate workarounds or patches are generally also provided to close security vulnerabilities.
A fatal mistake: being lured into a false sense of security
However, the patch provided by the open source community is only one (initial) step in closing the gap. Another key aspect is that the person responsible for the application is aware that the vulnerable framework is used in the application and that action thus needs to be taken. A regularly – perhaps even automated – check of the applications can help identify vulnerabilities at an early stage, particularly in the case of purchased applications.
Long patch cycles
Next, the provided patches need to be installed. With standard applications, you are dependent on the manufacturer who has to make the relevant patch available. For individual developments, either the internal engineering team or a software development company is responsible. According to a 2015 survey by Onapsis, for SAP systems, for example, 18 months or more pass before they are patched.
Increasing security (without time pressure)
As well as being aware of vulnerable components and the need to act with appropriate speed, a Web Application Firewall (WAF) can also contribute to improved security. This is located centrally in front of all applications and usually provides protection against known weak points as well as generic attack vectors from the OWASP Top 10. Virtual patches can also often be used to disarm recently discovered vulnerabilities quickly by means of corresponding configuration adjustments. In this way – depending on the application landscape – you can save a great deal of effort for patching all the applications behind the firewall or at least reduce the time pressure. If virtual patching is not possible, in the event of serious gaps, WAF providers also usually provide the relevant patches promptly.
Running applications on the World Wide Web always involves certain risks. Perfect security is just an illusion. Nonetheless, you should not be casual about protecting web applications or, worse, neglect them entirely. A regular check of applications for vulnerabilities, for example using the free VulnWatcher solution, as well as use of a WAF can make an efficient contribution to maintaining a high security level. After all, with all the uncertainty, one thing is sure: there are enough dangers on the Internet as it is, without us opening ourselves up to known attacks as well.
Marcial Rion, Senior Architect, United Security Providers