Better code won’t save developers in the short run

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

According to OWASP, “Insecure software is undermining our financial, healthcare, defense, energy and other critical infrastructure.” In its 2017 OWASP Top 10 Most Critical Web Application Security Risks, the authors argue that as software becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately.

better code

Incapsula, a web application firewall (WAF) provider, reported that over ninety percent of domains are exposed to web application attacks with the intent to steal information, compromise future visitors or hijack server resources.

Web application security as defined by Incapsula is a security process of protecting layer seven of the of the protocol stack against different security threats that exploit vulnerabilities in an application’s code. The most common target for web application attacks are content management systems like WordPress and Joomla.

Trust is reaching a tipping point

While developers improve their security and integrate it into the development cycle – as opposed to bolting it on afterward – they are facing an increasingly difficult challenge because the security landscape is hitting a watershed moment.

Back in 2013, when the last OWASP Top 10 Most Critical Web Application Security Risks was released, business was just waking up to the importance of security. Remember, 2013 pre-dated the Sony hack, the Office of Personnel Management (OPM) hack, the Experian hack, Yahoo hack, WannaCry, the City of Atlanta hack and on and on.

Today security – or the lack thereof – is not just on the mind of the CEO, but on the consciousness of the average consumer, who is fast losing faith in institutions’ ability to protect their data. The Facebook breach – which is technically not a breach – was the tipping point. Right after the fact that millions of Facebook users’ information was shared without their knowing – the American Civil Liberties Union (ACLU), Color of Change, Fight for the Future and others are demanding business take a security pledge to protect user information. Among other demands the pledge is “calling on companies… to build proven security into every service, site, and technology.”

There is a rising level of public distrust in online services because consumers believe that the businesses cannot protect their information, or worse – as in the case of Facebook – don’t care to protect their information when it doesn’t align with the the mission of the business.

While certainly under greater scrutiny, the bohemeiths like Facebook, Amazon and Google will weather the sour consumer sentiment. These companies are now so deeply embedded in the culture and have even deeper pockets to buy their way out. But the same isn’t true for smaller players whose brands are not as well known. A breach, or even a simple disruption of service may be enough to push its customers to a competitor.

A customer might find it impossible to exit the Amazon ecosystem, but find it easy and comforting to jump from a small site due to a perceived or real security incident. In fact in today’s environment, where a customer is locked into their ISP, phone carrier and smart phone, they may enjoy a small sense of freedom to express their discontent at these behemoth by switching on the small fry.

Adding another layer of protection

While the quest for bullet-proof software continues, developers can immediately place a level of protection at the application layer. Out of the box, a WAF can immediately protect against application layer threats. It inspects traffic long before it gets to the application.

The attacks are persistent and pernicious Below are the top perpetrators according to OWASP.

SQL Injection – Occurs when a perpetrator uses malicious SQL code to manipulate a supporting database into revealing hidden information. When successful, hackers gain access to lists, deletion of tables and unauthorized administrative access. SQL Injection can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. Injection can sometimes lead to complete host takeover. The business impact depends on the needs of the application and data.

Cross-site Scripting (XSS) – After injection vulnerabilities, XSS is the most prevalent issue in the OWASP Top 10 and is found in around two-thirds of all applications. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

XSS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application. Reflected XSS takes place when malicious script is reflected off of an application onto a user’s browser. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript.

Cross-site Request Forgery (CSRF) – An attack that could result in an unsolicited transfer of funds, changed passwords or data theft. It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a site to which a user is logged on.

Remote File Inclusion – Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts with the goal of . The perpetrator’s goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain. If a hacker can inject a file onto a web application server, they can execute malicious scripts or code within the application. They can also use it for data theft or manipulation.

The consequences of a successful RFI attack include information theft, compromised servers and a site takeover that allows for content modification. A hacker uses this type of attack to remotely inject a file onto a web application server. This can result in the execution of malicious scripts or code within the application, as well as data theft or manipulation.

Web application security will need to undergo a fundamental change in order to build secure applications from the ground up. Until then, the best defense in the short term for layer 7 attacks is a WAF that can prevent attacks from even reaching your applications. Without that defense, any hiccup in service or security event could cause a significant customer loss.