How to secure web apps for hybrid work

To properly protect your organization from new threats, it’s important to recognize how the security landscape has changed in the age of hybrid work. In the past, you knew most of your employees were accessing sensitive data and business apps inside your onsite firewall, which made it difficult for hackers to breach your network. When employees did work remotely, requiring a VPN to access your network on IT-managed devices was usually enough to provide an encrypted connection that would protect both personal information and private company data.

Today is a different story.Bot traffic represents about 40% of internet traffic, meaning your business faces automated threats that can attack hybrid workers constantly.41% of remote workers access confidential information using unsecured apps, which a VPN cannot protect you against.Web application hacks are the main attack vector for hackers, accounting for 80% of related data breaches. These frightening trends make it clear that you need to evolve your application security and access security to best protect hybrid workers. Otherwise you could face a data breach with awful costs to your revenue and brand reputation, in addition to exposing you to significant legal liability.

To update your application security to meet these new threats, start with thethree new risk categories that OWASP has addedto its application security threat list. The most noteworthy new application threat is insecure application design, which suggests businesses need to become smarter about building security into their applications earlier instead of focusing only on post-production app security. Software and data integrity is another vital new threat category, as the popularity of the CI/CD approach in app development has led to a reliance on unvalidated and risky code or components; the best mitigation strategy is to only use software and libraries from trusted and secure repositories. Server-side request forgery is also predicted to rise as a threat as more web apps make calls for external data, and the best defense is to minimize the type, scope, and amount of requests an application can make.

Beyond these rising threats, it’s also important to reviewhow OWASP has updated its top 10 application security risks since 2021。First, broken access control has risen to the top threat; this risk stems from failing to ensure employees, processes, and devices do not act outside their permissions when using business apps. Identification and authentication failures also remain a significant threat, so pay attention to your access security processes and be sure to require strong, frequently changed passwords and multi-factor authentication. And while app injection attacks are no longer the top risk, it’s still key to have a positive security model that limits which employees, APIs, and processes can run commands against sensitive data.

Considering how many changes to the OWASP list of app security threats are based in authorization and authentication failures, it’s clear the path to tightening application security runs through ensuring secure access for employees wherever they work. This in mind, to ensure an optimal and secure work environment for hybrid workers,67% of IT leaders are evaluating access security solutions (like zero trust network access) and 58.5% are evaluating app security solutions。一个有效的应用程序security solution to explore is a web application firewall that can protect your business apps from zero-day attacks wherever remote workers use them.

But while these security solutions are invaluable, protecting your business also depends oneffective security practices。For example, the serious risk of cryptographic failure often results from businesses failing to properly implement encryption technology and enforcing encryption for both data at rest and in transit. Moreover, too many businesses store sensitive data long after they actually need it—exposing them to unnecessary risk. Another risky security practice is relying on vulnerable and outdated components inside your applications, so it’s critical to continuously inventory the components in your environments to check for known vulnerabilities.

Protecting your web apps and APIs has never been a simple task. As bad actors step up their efforts to target your applications through your distributed workforce and other weaknesses, the best defense is taking the OWASP top ten list seriously by adopting a layered defense in your application security strategy. This includes protecting your resource layer, control layer, and host layer, but remember that secure hybrid work is also a crucial element—educate your hybrid workers about secure practices and equip them with the right access and application security solutions to keep your business safe.

Security threats are a risk to your entire organization, not simply one department or employee. This in mind, it’s vital to increase thesecurity IQ每个员工在你的组织的教学them how to recognize new threats, leverage the right tools, and make smart decisions. The result is the creation of a thriving security culture where everyone takes responsibility for protecting company data, personal information, and each other.