Application security is more important than ever
The security of business applications is often overlooked, despite the fact that exploitation of vulnerabilities in software is one of the key attack methods of cyber criminals and that application breaches account for the majority of reported security incidents. – Application security
But as traditional software and cloud-based, web and mobile applications play an increasingly important role in business and with applications associated with devices making of the internet of things set to explode, application security has never been more important than it is now.
While much of the responsibility lies with application developers to avoid common, exploitable coding practices and design secure code in the absence of any legislation in this area, there is much that businesses can and should do to mitigate the application security risk, including security testing all applications used by the business, reviewing source code, and layering a broad range of security controls to enhance visibility, alerting and real-time blocking.
Software applications play an important role in our lives. Whether it is in the home or workplace, we use them for communicating with people, staying up-to-date with the things happening in the world, keeping entertained, doing work and much more.
As an industry, apps are big money makers. Research from Statistica claims the apps market will be worth $189bn by 2020. In 2017, there were 2.8 million apps available in the Google Play Store and 2.2 million in the Apple App Store, but as smartphones, tablets and other connected devices continue to advance and more people buy them, the number of apps will only increase.
At the same time, thousands of web applications and sites are created daily. But while apps continue to deliver benefits, there are also challenges. In particular, connected devices and the software they power have become lucrative targets for hackers.
They are constantly using new and existing tactics to access, steal, change and delete personal and business data. According to research from Akamai, the number of application attacks grew by 63% in 2017, while 73% of security incidents flagged by Alert Logic were application breaches.
To protect users and data, application security has become an important consideration for businesses globally. When it comes to creating and releasing an app, developers must continually monitor, fix and prevent security vulnerabilities.
The most successful techniques work across the entire lifecycle of an application, including design, development, release, and upgrade. However, as the internet of things (IoT) ecosystem grows, it is likely these attacks will only grow. Computer Weekly looks at what companies can and should be doing to prevent them.
A security epidemic
Scott Crawford, a security analyst at 451 Research, believes security threats arise because companies are using a diverse range of applications. Often, IT and security teams just do not have the resources or time to identify and respond to attacks.
“Software vulnerabilities remain one of the primary exposures of IT to threats – and are among the most challenging problems for organizations to tackle successfully, at multiple levels. Part of the issue is that the challenge is spread across multiple domains including Cots (commercial off-the-shelf) products, bespoke applications, and systems, and embedded software,” he says.
Software in each such domain may have multiple moving parts, notes Crawford. “Endpoint components as well as server-side and back-end functionality, and not infrequently logic in between, as with edge computing in IoT, for example.
“Cots suppliers have come a long way in addressing vulnerabilities in their products, but the deployment of updates often faces many hurdles in organizations To say „just patch it‟ reveals a profound lack of understanding of those challenges,” he says. “Bespoke applications, meanwhile, are undergoing radical change as organizations move
from traditional „waterfall‟ approaches to development toward the more agile techniques of DevOps “Software embedded in other technologies now includes multiple systems encountered in the physical realm, from sophisticated healthcare systems and industrial controls to cars, homes and everyday objects.
The logic embedded in these systems may be difficult to protect, let alone update – and technology turnover may take years. Businesses must plan today for the security not just of tomorrow, but for several years that may be – quite literally – down the road.”
Fostering security by design
Lev Lesokhin, senior vice-president of strategy and analytics at software intelligence firm CAST, says that many application vulnerabilities are caused by architectural design flaws and that developers need to weave security techniques into the code of their apps.
“As automation and smart software become an increasingly large part of IT systems across several industries, the way these machines are programmed needs to be carefully analyzed,” he says. “If developers do not pay attention to the code they write for these systems, the effects could be far-reaching. A chatbot that is not responsive and intuitive is useless.
Code added to artificial Intelligence may have the prejudice of its developers. The risks are endless.” Security is an essential requirement for any type of digital business, says Lesokhin. “In a sense, it‟s a hygiene factor. It must be present, although it seldom contributes directly to the primary business functionality of the system. However, poorly-chosen security approaches can certainly impede usability and efficiency.
“An organisation’s overall approach to security (involving culture, technology and processes) can have a major impact on its agility and, hence, ability to innovate in digital business. The best security organizations see their job as making innovation safe – an attitude that is very supportive of digital business initiatives.”
David Smith, chief information security officer at forensic data software firm Nuix, says many hackers are tapping into existing techniques to compromise badly designed applications. “We are still seeing a lot of the same techniques to hack applications as we have previously
seen,” he says. “For example, buffer overflows, along with poor coding still remain two of the biggest application security issues. In addition, we have found many organizations are still not applying encryption very well. “The US has a governmental standard for encryption, which ensures the encryption is being put in place correctly,” says Smith.
“Many are not applying this properly, which results in applications with flawed security.” Another technique commonly used by hackers trying to get around application security is called fuzzing. “Its power is in its simplicity,” says Smith. “Any time there is an opportunity to enter information, hackers will try entering non-expected
information to find a loophole.
For example, if a field is asking you for a UK postal code, hackers may try entering more characters than what is expected, and if the program is coded poorly, it may let them in. This works more often than you may think.”
New application security threats
Alex Ayers, head of application security at information services firm Wolters Kluwer UK, says the rise of technologies such as artificial intelligence (AI) and the internet of things (IoT) will introduce new application security threats.
“While many application security failures are due to well-known threats, there are always new attack vectors or new ways of using known exploits,” he says. “The commoditization of AI, machine learning, and hacking as a service (HaaS) greatly increases the risk to running applications with easily discoverable and well-known vulnerabilities. The ongoing inability to bring cyber criminals to justice does nothing to deter increasingly sophisticated attacks,
potentially bolstered by the availability of sophisticated tools developed by government agencies.”
However, while there are plenty of ways companies and IT managers can prevent such threats, Ayers believes that they need to be underpinned by strong industry standards and investment. “Technology is evolving along with the threat landscape,” he says. “Firewalling technology is advancing and can provide the ability to rapidly mitigate new threats.
Tools to protect applications at runtime are becoming more popular and development frameworks, such as
Angular, are building in protection against common vulnerability classes.” But Ayers cautions that tooling is of limited use without the standards, policy, and practices to ensure that it is being used effectively.
“Projects such as such as OWASP SAMM and BSIMM enable organizations to consistently and reliably measure and improve the security of their software,” he says. “It is not for want of information, tools or techniques that applications are vulnerable to long-term and upcoming threats.”
Combating threats is less a technical challenge than a management one, according to Ayers. “It is easy for organizations to talk good security, but the resilience of applications will always significantly lag threats unless there is an investment in implementing processes for measuring, improving and embedding security within the development pipeline.”
Omid Shiraji, chief information officer of Camden Council, agrees that application security threats are always evolving. He believes that companies and technology teams should develop and implement sophisticated recovery plans to respond to hack attempts.
“We see the current threat vectors evolving so fast and malware becoming increasingly complex,” he says. “In a world where your fridge or lightbulb may be a method of attack, you‟ll never be able to build a wall high enough to keep the bad guys out. The investment for UK organizations should be in recovery rather than protection.”
Educating UK boardrooms about the complexity of modern-day threats, pragmatically and without scaremongering, is a key role for the technology and data leader, says Shiraji. “More chief information and chief data officers sitting on boards will help keep cyber awareness as a key organizational priority and protect and strengthen an organization’s reputation.”
Cybercriminals are continually coming up with new ways to compromise application infrastructure. Mark Hill, chief information officer at Frank Recruitment Group, says firms should be aware of fraud and hack attempts targeting employees.
“The threat from cybercrime is growing and the perpetrators are no longer using basic „spray and prey‟ techniques. The lack of inter-government cooperation and the belief that cybercrime is without risk is simply fuelling this trend,” he says. “Frank Recruitment Group takes the emerging security threats very seriously.
We strive to continuously improve all of the defenses and application defenses to protect our both our company and our customers‟ data. The key threat we see today is in the extensive and targeted use of confidence scams, which tries to tricks unwitting employees into handing over some form of data or access to systems.”
To identify and respond to threats, the recruitment firm has undergone a digital transformation drive. “We work closely with our staff to continually raise the awareness of security threats,” he says. “We only work with Tier-1 cloud applications providers with multi-factor authentication mechanisms, who themselves invest very heavily in security, to a level much more than we could ever realistically afford to do, much the same as any sensible mid-sized business.”
Clearly, the number of applications used by the general public and business world is not going to stop growing anytime soon. But the same thing could be said for hack attempts.
Although hackers are still using existing methods to gain access to applications and steal data, they are also generating new ways to stay under the radar and bypass security systems. Because of this, firms and IT managers need to take proactive and consistent measures to prevent and minimize damage. Contact Musato Technologies to learn more about our ICT services and tailored IT solutions.