How To Close The Door To Hackers With Better Web Application Security

by Chad Smith on July 20, 2021
What COVID-19 Expenses Can Public Agencies Cover With Federal Funds?

No matter how much your organization has invested in cybersecurity, a single web application is often all it takes for hackers to gain access to critical business and customer data.

Verizon analyzed over 5,200 data breaches in the past year and discovered over 90% originated from apps, underscoring the need to prioritize web application security.

Although government agencies tend to have the most stringent security requirements, this is crucial in every industry.

Here are three recent examples of web application security breaches and five strategies you can implement now to protect your organization.

What are the consequences of poor web application security?

HIPAA violations

Insecure portals or web applications designed with vulnerabilities can expose private information, potentially resulting in fines or lawsuits.

In one recent example, the Pennsylvania Department of Health fired a contact tracing vendor after it exposed private health information for over 72,000 people, according to the Philadelphia Inquirer.

The vendor uploaded data to Google Drive documents, which were not password-protected and accessible to anyone with a link. In addition to creating widespread mistrust, the breach resulted in at least one lawsuit.

Identity theft and financial loss

Most of us have become comfortable using apps to manage our finances, but a report by Intertrust found 81% of them leak data. Banking and payment apps are especially vulnerable because cybercriminals can break through their encryption keys, exposing payment information and customer data. This can lead to identity theft and access to customer’s banking information.

Responding to data breaches can also cost your organization millions of dollars, including paying ransom costs to retrieve data, notifying customers, and implementing additional security measures to address vulnerabilities.

Damage to your company’s reputation

As people started using Zoom’s video conferencing apps more frequently at the beginning of the COVID-19 pandemic, cybercriminals breached the credentials of over 500,000 users and sold them on the dark web. In addition to leaking email addresses and passwords, the hackers released personal meeting URLs.

This allowed unauthorized users to listen in on meetings or even take control of them. It also put shared documents and files at risk. While Zoom implemented new security measures to combat this, companies everywhere that used the app had concerns about others gaining access to confidential information.

If your organization experiences an application security breach like this one, you may have to go on the defensive to reassure customers and key stakeholders that their information will stay protected.

What strategies can help you improve web application security?

Ensure proper training for everyone involved in software development

The best web applications are built securely from the ground up, starting with the code.

While your developers play a critical role, they aren’t the only people who should be involved. Software developer community DZone recommends web application security training for everyone involved in the process, including developers, QA specialists, and project managers.

Scan your web applications for security vulnerabilities

The nonprofit Open Web Application Security Project (OWASP) recommends using dynamic application security testing tools to scan your web apps for the most common security issues. There are many different tools available, and a number of them are free. If you’re not sure which one is best for your organization, have your development team request free trials of several tools and compare their findings.

Consider a web application firewall

A web application firewall filters traffic from websites that are not secure and can prevent your web applications from certain types of attacks. Look for one that’s fast, easy, and cost-effective to deploy.

Implement a bug bounty program

Many organizations have programs that reward the public for finding and disclosing cybersecurity vulnerabilities, including US government agencies. In 2019, the US Department of Defense paid $275,000 in rewards to civilians who caught 146 vulnerabilities, according to Security Week. The Pentagon also paid $290,000 in bounties in 2020.

Vet your software and web application vendors carefully

Even if your organization uses best-in-class security practices, you may be vulnerable to application security vulnerabilities from vendors. Be sure to ask them for a detailed overview of their security practices, including data protection, backups, audits, and employee policies. These 25 questions can help you ensure their security protocol is just as robust as yours.

How iOFFICE builds application security into its software development lifecycle

As a global workplace software provider, we follow enterprise-level security standards at every stage of our process, starting with the software development lifecycle.

That includes peer review for all new development projects and multiple layers of developer quality assurance. Our developers receive training in best practices for secure coding at least once a year based on industry standards set forth by OWASP, SANS CWE Top 25, CERT Secure Coding, and others.

We also conduct application security testing throughout the software development lifecycle, including ​​design, testing, release, and code management.

For instance, our application testing process includes four key steps with checks and balances at each stage.

Here’s a closer look at each one:

Developer testing

Our development team conducts a thorough peer review of the code and software integration to ensure it meets all security best practices and criteria outlined in the project design.

Internal testing

The project moves to a testing environment and undergoes multiple stages of quality assurance, where team members test different workflows with minor variations.

Vulnerability testing

We review all public-facing web applications using manual or automated assessment tools at least once a year and after any updates. In addition to testing specific releases,  we use application and network-based intrusion detection services to continually check all web traffic and prevent web-based attacks. We also perform penetration testing using industry-standard tools to check for configuration, secure transmission, denial of service, cryptography, and any interaction with highly sensitive information.

Pilot testing

We have customers test and evaluate our software before rolling it out to everyone. Once we have determined the software is operating correctly, we implement a roll-out plan.

Our training program and software development process helps us identify any web application security vulnerabilities before we deploy any new features or updates.

This gives our customers confidence knowing we are committed to protecting their company and their data from hackers who could exploit their web applications.

The fact that our integrated experience management system is built natively in the cloud makes it inherently more secure because we can release updates continuously to address new features or security fixes as needed. Additionally, we host all customer information in multiple, redundant data centers, allowing operations to continue even in the event of a natural disaster or potential security breach.

If you’re ready to learn more about how iOFFICE helps you maximize your space and productivity while maintaining best-in-class security, schedule a 15-minute consultation today.


Chad Smith

As the VP of Product Strategy, Chad David Smith wears many hats that leverage his 20+ years of experience in the industry. Chad collaborates directly with clients and partners as well as with the iOFFICE client experience, client success, sales, marketing and development teams to create the most innovative and valued solutions for our clients.

Capterra Ratings: ★★★★★ 4.5/5