Chapter 4. Prioritizing Your Web Application Security Defenses
With so many possible threats and attack vectors affecting your web applications, it’s critical that you have a strategy for how to defend against these diverse threats. You should first prioritize defense against the most disruptive scenarios for customers.
With this construct in mind, you should focus on three pillars integral to maintaining business continuity and keeping customers happy: availability, confidentiality, and integrity. These three principles provide an ideal framework for discussing and addressing the core elements of a web application security program.
Availability
Availability will always be the top priority for your web applications and your business. Simply stated, if your applications are not available to either your staff or your customers, your business suffers as a result. Thus, ensuring availability represents the most important priority for web application security. It’s worth noting that availability can be affected by both technical problems (targeted attacks, system failures, etc.) or natural disasters (power fluctuations or outages, flooding or other natural disasters, etc.). However, within the context of application security, we’re focused on the implications of attacks.
The business implications of availability are significant. We can measure the high cost of downtime to businesses large and small in terms of cost and productivity. Recent studies show that on average, IT downtime costs businesses $1.55 million every year. Data shows technology downtimes affect productivity, as well, with 545 hours of staff productivity lost annually because of IT outages.
However, the threat is not outages alone. Reduced performance and responsiveness, such as slow load time induced by malicious bots and other attacks, have a negative impact on your business. As cited in a Radware blog, a survey conducted of more than 2,500 online consumers in the US and UK found that 67% of UK shoppers and 51% of those in the US said that site slowness is the top reason they’d abandon a purchase. Accordingly, your security focus begins with ensuring that your websites are always available and cannot succumb to targeted attacks that significantly slow or entirely take down your systems or applications.
Data Confidentiality
Data confidentiality equates roughly to the standard definition of privacy. Data confidentiality is centered on the promise that shared data is being held in confidence—that customers can trust that the data they provide to you is not being leaked, shared inappropriately, or stolen. Ensuring data confidentiality means taking preventative measures to keep sensitive data out of the wrong hands. To protect data confidentiality, you must understand what data your company holds, how sensitive that data is, and the paths that could be taken to access that data. Clearly, the more sensitive or important the data, the more efforts should be taken to protect it. Maintaining data confidentiality protects your reputation for being reliable and trustworthy to partners and customers alike.
Data Integrity
Data integrity addresses one all-important question: can I trust the data? This means, for example, that when bank customers log into their accounts, they trust that the numbers they see are true and accurate—with confidence that the data and data fields have not been manipulated in any way. Like data confidentiality, data integrity protects your reputation and fosters trust with partners, internal stakeholders, and customers.