Secure the Web Apps You Dont Know You Have

Do you really have true visibility into all your public-facing networked applications? Given today’s network complexity, I suspect that most people would be hard-pressed to accurately answer this, but it’s something that you need to know.

As more and more applications are brought online, the greater the business risk in terms of layer 7 vulnerabilities (i.e. SQL injection, cross-site scripting, etc.). Yet, the real issue is that many of these Web apps may well have been brought online without your knowledge, in part due to shadow IT where people in other departments call the shots.

Here are a few examples of publicly-accessible Web apps that I’ve come across that could be running right under your nose, yet may be off of your radar and thus vulnerable to attacks:

• Marketing websites
• Niche production Web applications specific to a certain department, i.e. legal or sales
• Development, QA, and staging Web applications
• WSDL and SOAP Web service interfaces
• Firewall interfaces
• Physical security control system interfaces for cameras and access controls
• Open Web proxies
• Third-party hosted websites

These Web-based applications can be running with standard configurations such as TCP ports 80 and 443, or they could be assigned random ports and very specific URLs in order to be accessed.

It’s inevitable that one or more of these “forgotten” applications will crop up during a network security assessment or penetration test. Others may rear their heads during firewall rulebase audits. Many are honest oversights while some may be considered “out of scope”. But the reality is, if it has a URL and is publicly-accessible, it needs to be brought under the umbrella of your overall network security controls and testing programs. Otherwise, they negate the benefits of your firewalls, intrusion prevention systems, security assessments, etc. that are, presumably, working to keep everything in check. And the odds are, these Web applications will be the way in for cyber attackers, and you may well never know about it.

So don’t wait for the pen testers, auditors or even your own network infrastructure staff. Perform your own port scanning, from the Internet, and look at all ports both high and low, standard and nonstandard, to get a complete picture of your Web presence, before the cyber criminals do.