Key Ingredients for Securing Applications In A Hosting Context

As cyberattacks continue to evolve, securing applications has become a top priority for managed hosting service providers. Between Q1 2023 and Q1 2024, web attacks on applications and APIs surged by 49%, with a staggering 108 billion API attacks recorded in just six months. This illustrates the increasing risk that applications face in the digital landscape, pushing hosting companies to implement stronger security measures.

Case Study: 3CX Breach

‘SmoothOperator’ is a significant supply chain attack that occurred in March 2023. Attackers linked to the North Korean regime targeted the 3CX Private Automatic Branch Exchange (PABX) platform which is used by over 600,000 organisations and 12 million daily users across industries.

The attackers compromised 3CX’s infrastructure by injecting malicious code into an .ico file (a technique known as stenography) which was included with the routine updates of 3CX endpoint clients. This allowed the malware to connect to a command-and-control (C2) server.

The OWASP Top 10: Major Threats to Web Applications

The C3 breach highlights how innovative tactics are being used to infiltrate software distribution channels, emphasising the need for vigilant security in supply chains. It’s also important to understand the most common vulnerabilities affecting web applications today.

The OWASP Top 10 is a well-known list of the most critical security risks for web applications, and can be used as guidance on areas where organisations must focus their efforts. Organisations that address vulnerabilities such as weak access controls, outdated components, and injection flaws can better safeguard their infrastructure and protect applications from attacks.

This is the current OWASP Top 10:

1. Broken Access Control: Occurs when users can perform actions they are not authorised to do, leading to data breaches or unauthorised changes.
2. Cryptographic Failures: Weak encryption or poor handling of sensitive data can lead to system compromise or data leaks.
3. Injection Flaws: Flaws like SQL injection can enable attackers to manipulate queries or commands, gaining unauthorised access.
4. Insecure Design: Weaknesses in the design phase can create vulnerabilities that persist throughout the software lifecycle.
5. Security Misconfiguration: Misconfigured settings can open up unintended vulnerabilities.
6. Vulnerable and Outdated Components: Using outdated or unsupported components creates a critical entry point for attackers.
7. Identification and Authentication Failures: Poor authentication mechanisms can allow unauthorised users to bypass login procedures.
8. Software and Data Integrity Failures: Unverified updates or compromised CI/CD pipelines can lead to data manipulation.
9. Security Logging and Monitoring Failures: Inadequate logging and monitoring reduce visibility into security incidents.
10. Server-Side Request Forgery (SSRF): Occurs when an application fetches a remote resource, potentially exposing sensitive data or networks.

Best Practices for Application Security

Securing applications requires a strategic and layered approach. Vincent Lin, an expert in critical infrastructure protection, emphasises, “The threat landscape has changed drastically in recent years. There are actors out there whose only intention is to break into computer systems and networks to damage them whether it is for fun or profit. There are many consequences but eventually it costs organisations money and creates business risks.”

To build robust security for applications, hosting providers should implement several best practices:

1. Firewalls and Intrusion Detection Systems (IDS)

Firewalls can be configured to block or allow traffic based on a set of rules, which can be static or dynamic. Firewalls are often deployed at the network’s edge to act as the first line of defence, protecting internal systems from unauthorised access. IDS works by analysing packets flowing through the network, detecting patterns that may indicate attacks, such as unusual traffic or known attack signatures.

OWASP Risks Mitigated: Firewalls and IDS can help prevent threats like Broken Access Control by filtering out unauthorised access attempts. They also protect against Injection attacks by blocking suspicious queries and traffic patterns and mitigate Vulnerable and Outdated Components by preventing exploitation attempts directed at known vulnerabilities.

2. SSL/TLS Encryption

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that secure communication over a network. They encrypt data transmitted between a client and a server, ensuring that sensitive information cannot be intercepted by attackers.

SSL/TLS is used for securing websites (through HTTPS), email, instant messaging, and other communications over the internet. It is essential for e-commerce sites, online banking, and any service handling sensitive user information.

SSL/TLS uses asymmetric encryption to establish a secure connection between two systems (e.g., a user’s browser and a web server). Once a connection is established, all data exchanged is encrypted with symmetric keys. This ensures that even if the data is intercepted, it cannot be read without the encryption key.

OWASP Risks Mitigated: SSL/TLS encryption is vital for addressing Cryptographic Failures by ensuring sensitive data is encrypted both in transit and at rest. It also supports mitigation of Identification and Authentication Failures, by securing the transmission of authentication data such as passwords.

3. DDoS Protection

DDoS (Distributed Denial of Service) protection involves security measures that defend against attacks designed to overwhelm a network or server with traffic, rendering services unavailable.

DDoS protection tools detect unusual traffic patterns or excessive requests coming from multiple sources and either filter out malicious traffic or distribute it across a network of servers (often through content delivery networks (CDNs)) to prevent any single server from being overwhelmed. They also implement rate-limiting to control the number of requests a server can handle from a single IP address.

DDoS protection is crucial for websites, online services, cloud platforms, and other applications that are exposed to the internet and must remain available, even under attack.

OWASP Risks Mitigated: DDoS attacks may not directly correlate to specific OWASP risks, but they can exacerbate vulnerabilities like Security Logging and Monitoring Failures by overwhelming systems, leading to a lack of visibility into real attacks. Effective DDoS protection ensures these logging and monitoring systems remain functional during an attack.

4. Regular Patching and Updates

Vendors release patches regularly in response to discovered vulnerabilities. Patching refers to the process of applying updates to software, operating systems, and applications to fix vulnerabilities, improve functionality, or address security weaknesses. Regular patching is essential for all software, particularly in hosting environments where outdated components can leave systems exposed to attacks.

OWASP Risks Mitigated: Regular patching directly addresses Vulnerable and Outdated Components, which is critical as using unpatched or unsupported software increases the risk of compromise. Patching also helps mitigate Security Misconfiguration, as outdated software can often come with default or insecure settings.

5. Access Control and Authentication

Access control involves defining who can access what resources and under what conditions, while authentication verifies the identity of users or systems attempting to gain access. Access control and authentication are critical for web applications, control panels, databases, and administrative systems, ensuring that only authorised users can access sensitive information or perform critical actions.

Access control mechanisms, such as Role-Based Access Control (RBAC), restrict user privileges based on roles or functions within an organisation. Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to provide multiple verification methods (e.g., password and one-time code) to prove their identity.

OWASP Risks Mitigated: Proper access control and authentication address Broken Access Control by restricting user access to only what is necessary for their role. They also mitigate Identification and Authentication Failures by implementing strong authentication mechanisms, reducing the risk of stolen or compromised credentials being misused.

6. Data Backup and Disaster Recovery

Data backups and disaster recovery plans are critical where data loss can have severe consequences for businesses relying on cloud-based services and applications.

OWASP Risks Mitigated: While backups do not directly mitigate specific OWASP vulnerabilities, they provide a fail-safe in the event of Software and Data Integrity Failures, ensuring that systems can be restored to a known good state after an attack or failure.

7. Malware and Vulnerability Scanning

Malware scanning tools analyse files, applications, and network traffic for signatures or behaviours that match known malware. Vulnerability scanners, on the other hand, check systems for common misconfigurations or unpatched software vulnerabilities.

These tools are usually employed across all web servers, applications, and hosting accounts to identify threats before they can cause damage. Regular scanning ensures that both known threats and new vulnerabilities are identified and addressed.

OWASP Risks Mitigated: Vulnerability scanning directly addresses Vulnerable and Outdated Components, detecting when software is outdated or unsupported. It also helps mitigate Security Misconfiguration by identifying improperly configured systems and addressing Software and Data Integrity Failures by ensuring that updates and patches are applied securely.

8. Security Incident Response

Incident response involves monitoring systems in real-time for signs of a breach, analysing the extent of the damage, containing the attack, and then eliminating the threat. This process often includes forensic investigations to determine the root cause of the incident and ensure that similar breaches are prevented in the future.

OWASP Risks Mitigated: Security incident response addresses Security Logging and Monitoring Failures, ensuring that incidents are detected quickly and responded to appropriately. It also helps mitigate Software and Data Integrity Failures by providing a rapid response when integrity is compromised.

9. Application Isolation and Sandboxing

Application isolation refers to keeping applications separate from each other in a hosting environment, while sandboxing involves running applications in a restricted environment to prevent them from affecting the rest of the system.

Virtual machines (VMs) and containers are often used to isolate applications, ensuring that if one is compromised, the damage cannot spread to others. Sandboxing restricts applications from accessing sensitive parts of the system, limiting their ability to cause harm.

OWASP Risks Mitigated: Application isolation and sandboxing help prevent Broken Access Control by enforcing strict access rules between applications. It also mitigates Insecure Design, as isolating apps ensures that design flaws in one application cannot spread to others.

10. Audit Logging and Monitoring

Audit logging involves keeping detailed records of system and user activities, while monitoring refers to observing these logs in real-time to detect anomalies or security incidents. This is essential in any secure environment, including cloud hosting, where detecting and responding to security incidents is critical for maintaining uptime and protecting data.

Logs track actions such as user logins, file changes, and system errors, providing a comprehensive record of activity. Monitoring tools then analyse these logs to detect patterns that could indicate a security breach, enabling swift responses.

OWASP Risks Mitigated: Audit logging and monitoring are key to addressing A09: Security Logging and Monitoring Failures, which occur when logging is inadequate or non-existent. Effective monitoring helps identify and mitigate Broken Access Control and Server-Side Request Forgery (SSRF) by providing visibility into unauthorised actions or suspicious requests.

Conclusion

For hosting companies, application security is not optional – it is a necessity. The rapid rise in attacks on applications and APIs, combined with the increasing sophistication of cyber threats, underscores the importance of implementing comprehensive security measures. By focusing on key areas like encryption, firewalls, regular updates, and compliance, hosting providers can protect their infrastructure and clients from evolving threats while maintaining a secure environment for applications.