This post is also available in: עברית (Hebrew)

What are “application security vulnerabilities“?

An application vulnerability is a system flaw or weakness in an application that could be exploited to compromise the security of the application. Once an attacker has found a flaw, or application vulnerability, the attacker or hacker can then exploit this vulnerability.

 Application layer security flaws generally result from coding flaws in applications that are either shipped with or installed onto computational devices like, tables, laptops and desktops after deployment.

Buffer overflows, insecure storage of sensitive data, improper cryptographic algorithms, hardcoded passwords, and backdoored applications are only a sample set of application layer flaw classes.

The result of exploitation of application layer security flaws can range from elevated operating system privileges to easy access to sensitive data, information theft, modification and obstruction of information and services.

One of the main reasons for application security flaws is the pressure that application development teams have to time-to-market new software. This financial pressure forces many developers to overlook or disregard the security aspect of the SDLC– Software Development Lifecycle process.

SDLC stands for Software Development Life Cycle. A Software Development Life Cycle is essentially a series of steps, or phases, that provide a model for the development and lifecycle management of an application or piece of software. The methodology within the SDLC process can vary across industries and organizations.

If the applications were not developed with security in mind, then this gives the cyber-criminals the potential to exploit the application vulnerabilities to enable a cyber-crime. These cyber-criminals target the confidentiality, integrity, or availability (known as the “CIA triad” in information security) of resources possessed by an application, its owners and its users.

Attackers/Cyber-criminals usually rely on specific tools or methods to perform application vulnerability discovery and compromise.

According to Gartner Security, the application layer currently contains 90% of all vulnerabilities (Gartner & Symantec, June 2006)

Conclusion

Application level vulnerabilities are a major factor in the cyber-crime game.

 

Application level cyber-threats

“2012 saw the exploitation of software vulnerabilities become the most popular way to gain access to a user’s machine”.

“The majority of exploits detected were related to four vulnerabilities (two Windows and two Java), most likely a result of the fact that today’s popular exploit kits, BlackHole and Cool Exploit, include exploits for these vulnerabilities. All of these vulnerabilities were reported in the last two years.

“Application vulnerabilities were identified as the number one security threat – 69 percent of professionals identified it as a high concern”.

F-Secure 2012 report             

It is estimated that insecure software was a contributor in approximately one-third of attributable security breaches.

Concerns around software security increase with company size, perhaps correlated with the greater amounts of software development in large companies, versus smaller companies that rely heavily on commercial applications. To these we have to add the newest cyber-threats to organizations; BYOD– Bring your own device, that we will clarify latter in the article.

Web application threats and security 

A web application is an application that is accessed by users over a network such as the Internet or an intranet (All the web sites that you like to surf to).

World Wide Web has become a powerful platform for application delivery. Web applications are popular due to the ubiquity of web browsers. 

Web applications allow visitors access to the most critical resources of a web site, the web server and the database server. Like any software, developers of web applications spend the majority of the development time functionality and dedicate very little time to secure coding.

The reason so little time is spent on web applications security is often due to a lack of understanding of security on the part of the developer or a lack of time dedicated to security on the part of the project managers. Security Departments scrutinize the desktop, the network, and even the web servers, but the web application escapes their scrutiny.  Therefore web applications are often riddled with vulnerabilities that are used by attackers to gain access to either the web server or the database server.

The entire development cycle is usually lacking in security procedures and controls, this Illustrates the fundamental gap between security and development, which creates web application vulnerabilities.

As cloud computing is becoming ubiquitous and accessing cloud resources are mainly by web browsers, that do not need any special installation and come already packed into every computer. So have attacks against web sites grown exponentially to the point that even gargantuan mega companies like, Google, Apple and Amazon are having difficulty trying to stem these cyber-attacks against their applications (not always successfully).

Even governments and the military are finding it difficult to defend themselves and they’re investing in application security as the ultimate defense against cyber-attackers. 

It is estimated that websites are probed about once every two minutes, or 27 times per hour (2011-2012).

Attacks against Web applications were prevalent in both the data center and in the cloud. It is estimated that some 52 percent of cloud hosting provider environments suffered Web app attacks, and 39 percent of enterprise data centers experienced the same.

Web application attacks continue to be a serious threat across all environments; these types of threats are easily launched through automated tools and should be a top concern for any organization.”

 

Mobile application threats and risks

Mobile applications are hot, growing in numbers and capabilities, and expected to be expanding rapidly both in number of applications and number of downloads.

It is estimated that there will be 44 billion downloads of mobile apps by 2016 by users of all mobile platforms; Apple, Android, Microsoft and Nokia…

Mobile applications, commonly called apps, provide enhanced convenience and functionality. Developers have created countless mobile applications for various uses and activities, which is contributing to the eruption of modern mobile devices. Anyone can potentially develop and distribute mobile applications with little oversight, making apps a potential attack vector for cyber criminals.

The various mobile platforms pose a new security threat landscape adding to the complexity of the threat landscape a whole new set of security issues on the client side.

The category of mobile security vulnerabilities are errors in code design or implementation that expose the mobile device data to interception, retrieval and manipulation by attackers. Mobile code security Vulnerabilities can also expose the mobile device or the cloud applications used from the device to unauthorized access.

Mobile application attacks are typically targeted more toward handheld devices for which an SDK (Software development kit) is available than those without one, since code development is easier to perform. SDKs are more prevalent for smart phones and tablets than for other handheld devices, and to date those environments have experienced the majority of cyber-attacks.

Right now there are over 450.000 apps in the Android market, where as there were less than 100.000 in July 2010

Architecturally, mobile applications are different from standard applications and sites.

Unlike standard web applications:

• Mobile applications need protecting against neighboring client side applications.

Unlike standard desktop applications:

• Mobile applications are usually based on web services.

The implications of the mentioned differences make securing mobile apps complicated; it means there is a need to protect the client side from local attacks and the server side against remote attacks.

In addition, mobile applications have unique dedicated threats and hacking methods that are not standardly addressed.

Awareness of the potential threats will be the driving force in addressing and resolving security issues and consequently helping achieve the application integrity that will eventually enhance cyber-security, which is needed as we can see from the amount of successful global cyber-attacks.

A mobile workforce enhances productivity and it should not come at the expense of security and privacy.

Existing solutions and blind huge spots

Vendor solutions

Google Play applications & Bouncer

In early February 2012, Google announced Bouncer, a system to automatically analyze submissions to Google Play for potentially malicious behavior.

Bouncer provides developers and the greater security community an alternative to the manual curation process. Developers can still innovate quickly while Bouncer increases the baseline level of security for Android users.

Automated filtering engines mostly detect and protect against malware and most malicious codes imbedded in applications but do not always reveal flaws and vulnerabilities in the application level code.

Apple App Store applications

In May of 2012 Apple released its first report on iOS Security, covering current capabilities related to System Architecture, Encryption and Data Protection, Network Security, and Device Access. iOS 5.1, was released on March 7, 2012, and was jailbroken just days later.

Programmers should note that :

Apple requires developers to enroll in the “Iphone Developer program”. Every application submitted to the Appstore is evaluated at least by two reviewers for bugs, instabilities, unauthorized content and other coding violations. Meaning, that it’s imperative that programmers are accompanied during the development by professional security coding experts.

The mobile application blind spots

The critical blind spots that these services do not address many application level and business logic vulnerabilities. Hacker will not only add malware but their first attempts are to use app vulnerabilities to exploit applications. The actual code is vulnerable.

BYOD- Bring your own device

BYOD is a phrase that has become widely adopted to refer to employees who bring their own computing devices – such as smartphones, laptops and Tablets– to the workplace for use and connectivity to the corporate network today sensitive business and personal information is co-mingled on these devices making this the perfect attack vector using application level flaws and vulnerabilities, ultimately, posing a greater threat to organizations. 

 

Addressing application security threats

What are the strategic questions all Cyber warfare policy makers are concerned with?

–  How do we minimize the vulnerabilities of software products and applications?

–  What mechanisms must be implemented within the Software development cycle which will directly impact the security status of the application for the better?

The key to answering these questions lays in our search for the weakest link that is the source of the vulnerabilities I.E the developers. 

Since application layer security vulnerabilities are a direct result of insecure coding practices which enable the vulnerabilities to be embedded in the code.

The strategic mitigation methods must focus on developer coding practices which impact the security stature of the application directly.

How do we get developers to use secure coding best practices?

(*) Education– educating developers to use secure coding best practices.

(*) Monitoring methods -monitoring the security stature at all phases of the development process.

The increased awareness of developers to secure coding is crucial to the evolution of the Cyber war frontier.

Though the solution isn’t bullet proof and after all, we are dealing with the human race, policy makers must realize that by educating and enforcing secure coding practices – we are mitigating a large amount of vulnerabilities by making sure they are never created. 

 

How do we Secure web applications better?

In order to address security we must perceive the security element of the development as an integral part of the full development cycle, its presence must be considered from the early design stages throughout the full cycle of development in a parallel yet integral Security development lifecycle.

What is the Security Development Lifecycle ?

The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost. (Microsoft) 

Our web security procedures and mitigations are also based on OWASP – the “Open Web Application Security Project”. This international project is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” The projects work is derived from a collaboration of security professionals and has been making an effort to inform web decision makers of the 10 most critical web application security flaws through their Top 10 Project.

The OWASP Top 10 provides a powerful awareness document for web application security and represents a broad consensus about what the most critical web application security flaws are. Cyber-attack trends to web sites change from month to month and critical flaws need to be pre-secured by proper application design and tested for flaws at the coding stage.

Security Certification and Accreditation programs rarely examine the web application vulnerabilities therefore it is classically thought that security experts are the main players in the cyber-crime war, where in fact, strategically we, as secure coding experts proactively approach and  focus on the developers who are creating the vulnerabilities by not using secure coding best practices.

Case study – importance of secure coding PCI 

The Payment Card Industry council has made it a requirement to secure applications that process credit cards. This requirement is called; Payment Application Data Security Standard (PA-DSS).

“The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties”.

PCI PA-DSS Requirements and Security Assessment Procedures, v2.0.

This standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

We accompany organizations on the road to PCI DSS compliance as its extensive and includes many important steps which must be followed in order to assure optimal security measures including Advanced Application Penetration Testing services.

Securing Applications by education and training

As Israel has become one of the most cyber-attacked countries in the world from every cyber-terrorist, Hacktivists to cyber-criminals, we have been in the forefront defending our cyber-realm shoulder to shoulder with leading organizations. Be it Governmental, Military or Banking by security testing and especially training the defenders of said organizations.

The knowledge and experience that our experts have accumulated in the Israeli cyber-battleground is being taught by our team of cyber-commandos in all corners of the world.

As we have seen from all the successful cyber-attacks worldwide, generic cyber-defense or information security practices are not enough.

The main reason for the unsuccessful defense is the fact that developers, as the builders of software applications do not have the incentive or worse the necessary knowledge to securely develop applications.

As the old proverb states: give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime, we believe that the most effective and cost effective solution is education. 

Enhancing awareness to the impact of security issues, addressing security by designing, mapping of the threat landscape, mitigating and verifying the security of the application. This will, lead to a greater improvement at the baseline coding level. Less vulnerability will be created and fixing cycles will be shortened leading to quicker time to market and more secure applications leading to visible ROI 

Training developers and managers to understand the importance and impact of insecure coding and to get acquainted with the threat landscape is the key to getting them more aware and to take action in order to secure their products effectively.

Security testing– exposing vulnerabilities before it’s too late

The optimal way to discover application vulnerabilities is by having our team of experts simulate real world cyber-criminals by attacking the application at the code level.

We have found from using our real-world extensive experience with our experts in the cyber-battleground that Israel has become that it is essential to test applications, therefore we have devised three testing methods that can be adjusted to the most menacing cyber-threats:

1. Black box– Black box testing is the process of simulating a skilled attack, using the techniques and tools aimed to detect security vulnerabilities and exploit them.

1. White box– Security code review is an in-depth analysis of the application’s code aimed to detect security vulnerabilities by inspecting the actual code of a given system.

1. Grey box– A Gray Box test provides a full system inspection, from both the developer’s perspective and a real malicious hacker’s perspective. Using automatic and manual tools aimed to audit a full, comprehensive Black Box test, the auditor has another tool which is accessing the system’s internal structures and code.

Security impact

Personal, Business and governmental entities will continue to be exposed with serious consequences if application security best practices are not introduced —data breaches, disrupted operations, lost business, brand damage, and regulatory fines,”

The high volume of known application vulnerabilities suggests that many development teams do not have the security resources needed to address all potential security flaws and that there is a clear shortage of qualified professionals with application security skills.

By enhancing awareness to the security landscape and how they should be dealt with using:

(*)  Education of programmers in secure coding practices.

(*)  Addressing security at all stages by using secure coding methods and testing

  

Summary

The main importance of application security is the fact that an application/software that is not properly security coded is similar to constructing a modern high rise building in the middle of a crime infested part of the city that looks nice and stable from afar, but as we approach we can see that there are bricks missing, backdoors everywhere and windows without glass panes.

We can also see that there is no security solution in place to alert us of crimes that are being committed.

Educating developers to use secure coding practices is essential to continuous battle against cybercrime.

Increased awareness at the development layer is a key factor in our success in keeping what is ours, confidential, authentic and available.

The building may be stable at the end constructions, but how long do you think it will take a criminal to enter and exploits the assets in this building?

Written by:

Joey Peleg & Haim Greenberg for Appsec

Appsec – Founded and managed by Erez Metula.

Erez Metula is a world renowned application security expert, spending most of his time finding software vulnerabilities and teaching developers how they should avoid them. Erez has an extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. His latest research on Managed Code Rootkits, presented at major conferences throughout the world, was published recently as a book by Syngress publishing. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

Had trained the developers of the following key organizations:Motorola, Visa (England), Goldman Sachs (N.Y.), Israeli Defense Force, ABS (Association of banks, Singapore), Checkpoint, INSA (Information and Network Security Agency, Ethiopia), Amdocs, Microsoft, Sungard, Ness, Akhela (Italy), Applied materials,PwC (Belgium), Intel

Register now – Israel Big Data Fusion Conference – Tomorrow !!