Organizations face several cyber threats, and websites are a leading target for cybercriminals. Since a website is exposed to the public Internet, it is easily accessible to an attacker, and it can provide access to a wealth of valuable information if exploited.
As a result, strong website security should be a priority for all organizations. However, many companies overlook one of the greatest threats to the security of their web applications. Web frameworks are commonly used to simplify the development of web applications, but many organizations fail to properly prioritize identification and remediation of vulnerabilities in web framework code.
Introduction to Web Frameworks
Additionally, the use of a web framework can improve the overall quality of code within a website. Since web framework code is more widely used than custom website code, it is likely to undergo additional code review. This review can help to identify and eliminate vulnerabilities before they could be exploited by an attacker.
Trends in Web Framework Security
One of the downsides of web frameworks’ popularity is that they are often targeted in cyberattacks. If a cybercriminal wants to maximize the impact of an attack, identifying a vulnerability in code used by hundreds or thousands of organizations enables them to do so easily.
This increased impact of web framework vulnerabilities has made it a common target of attack. In fact, the number of exploits developed to take advantage of web framework vulnerabilities has remained steady despite the fact that the number of web framework vulnerabilities discovered has decreased in recent years.
On average, 3.9% of vulnerabilities contained within the National Vulnerability Database (NVD) are weaponized by cybercriminals. For vulnerabilities in web frameworks, the average weaponization rate is 8.6%. This is largely due to the fact that the number of exploits has remained steady over time, but the total number of vulnerabilities available to the cybercriminals to exploit has decreased over recent years.
Equifax: A Web Framework Case Study
Web frameworks inhabit an odd position in security where they are a common (and vulnerable) target of attack but are often one of the last locations where developers look to identify and patch vulnerabilities. However, the impacts of an exploit against a vulnerability in a web framework can be significant.
The Equifax data breach serves as a cautionary tale about the potential impacts of failing to remediate exploitable vulnerabilities in a web framework. The breach was enabled by a number of different security failings within Equifax’s environment, but the attacker’s initial entry point was a vulnerable version of Apache Struts.
Apache Struts is a commonly used web framework, and a vulnerability in the code was discovered in Spring 2017. A patch was first made available for the vulnerability on March 7th. On March 9, Equifax planned to apply the patch to affected systems, but, for some reason, it was never applied. Due to failures in security scanning, the organization did not detect the fact that their system lacked this vital patch.
An attacker exploited this vulnerability on March 10th but lay dormant for several months until May 13th. Between May and July 2017, the attacker gained access to a number of servers within the Equifax environment and stole the personal data of over 145 million people, including names, addresses, Social Security Numbers (SSNs), and driver’s license numbers. For 200,000 of these victims, financial data was also exposed in the breach.
The cybercriminals who stole data from Equifax exploited several flaws in the organization’s network security. However, the initial access point was an unpatched vulnerability in Apache Struts. In the end, the cost of the breach to the company, including security upgrades and settlement costs, exceeds $2.7 billion.
Protecting Web Frameworks Against Exploitation
When developing a web application using a web framework, the security of the web application is directly tied to the security of the web framework. Any vulnerabilities in the web framework are inherited by the applications built on top of it.
This makes web framework vulnerabilities a major priority for website security. The visibility of these vulnerabilities and the easy accessibility of web applications, which are exposed to the public Internet, mean that they are a major target of cybercriminals.
For an example of this, look at the Equifax breach, where the cybercriminals’ initial exploit of the network occurred three days after a patch was made available and the vulnerability was publicly exposed. For many organizations, reacting this rapidly to apply patches for newly discovered vulnerabilities is difficult or impossible. A more scalable approach to website security is required.
A web application firewall (WAF) provides this vital, scalable protection. A WAF can be rapidly updated with the signature of exploits against a newly discovered vulnerability and can perform “virtual patching” by identifying and blocking attack traffic against a vulnerable application. This buys an organization the time required to test and deploy patches without leaving an application exposed to exploitation.