How modern web application technology has made apps more useful—and harder to secure

We live in an era in which users can’t seem to sit still. Long gone are the days when a worker was tethered to a workstation or the humble desktop was the central point of focus (and resulting arguments) within a home office. From the advent of wireless internet access and the first mobile phones to full-blown, cloud-powered mobile computing, modern web application development has been riding a wave of continual transformation.

The explosive adoption of cloud computing coupled with the sheer power that can be packed in a tablet or phone—not to mention a razor-thin laptop with a battery that lasts for days—has given rise to a new generation of users who expect always-available and anywhere-accessible data.

Modern web applications are rising to the challenge of satisfying user expectations. New versions can be deployed at a moment’s notice, bug fixes can be pushed several times a day, and user behavior can help guide the thought process behind the next big feature. They are hosted on cloud environments that can guarantee uptime and automatically scale as demand increases. This shift has had a massive impact on how online companies have addressed the progression of user behavior—but the evolution of the humble web page into what we use today has been an interesting one.

A brief history of web application development

Do you remember the days of multi-page applications (MPAs)? Back then, the bulk of the work in a basic web application would be done on a remote server, often in a company’s own data center, and the work on the user side would be light. Every time you wanted to navigate to a new page by clicking a link, a request would go to the server, then the page would be built and sent back to the client. This generated a lot of back-and-forth requests, with the server doing all the heavy lifting. Then came AJAX, a technology that allowed pages to be updated without the need to reload. Updating specific elements created a more dynamic and richer user experience—and gave us a glimpse of the future: single-page applications (SPAs).

At this point, JavaScript decided it was time to jump in. First, we had JQuery, which while fantastic on the UI side of things, but not so much for handling data—a miss for big enterprise/e-commerce projects. Then Knockout appeared, looking to address client-side to server-side application data mapping challenges. With the emergence of new technologies like Flash and Silverlight, a rich client-side experience looked promising, but heavy reliance on plugins and a raft of security issues ultimately led to the demise of these technologies. Users don’t want to have to worry about how stuff works—they just want it to work and run smoothly, as well as trust that the vendor is keeping them secure and up-to-date.

Then all of the sudden, the JavaScript wagon rolled up with Backbone, followed closely by Angular JS, as some of the world’s largest software houses changed the game by offering open-sourced code from their internally developed frameworks. These advancements led to the first of many standard libraries developers would leverage to create web applications built around a positive user experience, revolutionizing how complex web applications were created and deployed.

Job well done, right? Everyone should just be sitting around, drinking coffee, and using SPA frameworks the rest of the time, right? In an ideal world, yes—but software development rarely goes to plan outside of “Hello, World!” projects.

Web applications are public-facing, often connect to complex systems, and often handle sensitive data. These apps are also an attack vector in roughly three-quarters of major breaches disclosed in the Verizon Data Breach Investigations Report each year. What does this mean? They have to be secure. Aside from the perils of using shared code, web applications built with SPA frameworks can’t be scanned the same way and need advanced DAST scanning technology to ensure full coverage.

How InsightAppSec can help secure your web applications

Where traditional web application security products crawl all existing links in a static app—discovering available pages and elements that could be susceptible to an attack by navigating as a real-world user would—this method falls short in a web application using a framework such as Angular or React. SPAs generate pages on the fly, making it hard to uncover all the available pages, elements, and endpoints using a traditional crawl. The golden rule of dynamic application security testing (DAST) is that you cannot assess what you cannot see.

InsightAppSec has native functionality to interrogate SPA frameworks, above and beyond what a traditional scanner can do. We support the most popular SPA frameworks and have just announced new capabilities to scan Angular versions up to and including version 7. Watch this space for more releases in our quest to conquer all modern SPAs.

Ready to scan your web app with our DAST? Get a free 30-day trial of InsightAppSec today.

Get Started