This post is from the Arxan blog and has not been updated since the original publish date.
Mind the Gap: Applications Are Your Biggest Weakness
Something Has To Change
There has been a lot of talk this year about the need to better protect applications, particularly mobile and web apps. Despite countless security service providers and decades of options, the problems stemming from application vulnerabilities and the general lack of code security are becoming worse. The ratio of coding flaws and security vulnerabilities per application, which can be exploited, remains very high and both the potential and realized impact on organizations and consumers is not to be ignored.
In 1994 as the web was in its infancy — and mobile phones were just mobile phones — this was understandable. But here in 2019, it is hard to see that we are still having basic instructional conversations about application security concepts — concepts that should have long ago become standardized. Still, the continuing evolution to security-by-design as institutionalized processes is a necessary journey because when applications are vulnerable, it’s not your applications that are exposed, it is your business processes, your critical IP, your coveted customers, and your lifeblood data.
The difference today is that the application, especially mobile and web applications, have become a new endpoint in a decentralized yet interconnected world. It is the most popular assault target for infiltrating enterprises, for inflicting damage, and for data theft. 84% of all hacker incidents happen at the application layer – 38% using web applications as the attack vector1 – long before traditional network defenses have the opportunity to kick in. While hardware vendors and network security providers have worked hard to improve and promote the strength of network defenses, the threat direction has evolved, the hacker wind has shifted. The current state finds adversaries with malicious motives continuously bypass the security defenses thrust against them.
This is bad news for corporate officers and IT professionals as penalties and remediation efforts are now extending beyond the organization, with increasing calls to hold security and company executives personally responsible. These developments are in response to the many, MANY breaches that have recently occurred, as well as notable breaches in recent years from which hundreds of millions of people have had personal and financial information compromised – often multiple times from as a result of the many different breaches. The latest annual research study from the Ponemon Institute and IBM pegs the cost of a single data record loss at $148 each. When the average cost of a data breach incident is substantively gauged to be $3.86M, ignoring real threats is a bad situation.
It’s more than damage, though, it’s now about accountability. Corporations are finally being held responsible for failures to protect customer data. Equifax will pay up to $700 Million as a result of their Sept 2017 data breach. British Airways is facing a $230 Million fine under the European General Data Protection Regulation (“GDPR”) for their 2018 breach that compromised credit card information, names, addresses, travel booking details, and logins for around 500,000 customers. And, Marriott faces a $123 Million fine under GDPR for their 2018 “mega-breach” which impacted an estimated 500 million customers and exposed payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
All of this, plus the worldwide migration to cloud and mobile technologies, has driven the need to better integrate security into the application coding process—a shift left approach to reduce vulnerabilities and exposure. At the 2019 Microsoft Inspire conference in Las Vegas, Microsoft CEO shared his company’s projection that in the next five years, 500 million new applications will be deployed around the globe.2 That is a lot of attack surface, a target-rich environment, to be certain.
To help deter bad actors, the call for security-aware design frameworks, methodologies, and organizational sciences has been underway and gaining momentum. Earlier this year, the Institute for Critical Infrastructure Technology published an extensive paper to this effect. Entitled, “Software Security is National Security”, it is a compelling collection of details and arguments that lay out important technical and cultural guidance to institutionalize application security.
Still, though this evolution is moving along, fueled by technology and capabilities that do exist, there are cultural issues and harsh realities that continue to create serious impediments. New entities meant to overcome these problems, such as DevSecOps, have cropped up with greater relevance these last few years and gained some traction. Unfortunately, the pace and exploits by bad actors of all types have outpaced this slow cultural shift, along with short sighted business objectives, has allowed cybercriminals to maintain the advantage.
The Gap To Be Mitigated
Part of the problem, of course, is that change is never fast or easy, and no number of whitepapers, webinars, and frameworks can alter this fact, they can only aid in nudging its pace. Meanwhile, during such transitions, excess vulnerabilities and non-existent app security remain in play and businesses remain at risk. The result is the formation of a gap that is not going away anytime soon leaving companies, consumers, and constituents at great risk.
The ICIT report cites NIST Fellow Dr. Ron Ross and his empirical assertion that applications have 4.9 flaws per 1,000 lines of code which means for every 50 million lines of code, an application has between 2,400 and 12,200 flaws that could evolve into potential security vulnerabilities. It is well to be mindful that applications are not just within the workings of organization computers and users. With the adoption of cloud technology and Internet of Things (IoT) devices, and the massive number of applications being used and built to take advantage, application vulnerabilities and poor security best practices can infect and affect any part of an organization. An average new car today has 150 million lines of code – and potentially over 36,600 coding flaws which could result in exploitable vulnerabilities – that feed real-time and archive information into strategic analytical engines that have customer facing results. A holistic look at application security is mandated.
As we said earlier, evolution takes time and a utopian state of universal DevSecOps is a long way off, if ever. This means that a security gap, due to application vulnerability exists and is relative to the maturity of organizations, but is also greatly influenced by the ongoing evolution of those organizations. The extent of the security gap is both dependent and interdependent to the strategic and tactical approaches to all three: evolution, change, and defenses.
Organizational changes are constant, and acquisitions and mergers create hazardous unknowns. Third-party applications, especially those operating in distributed international locations and those that support specific, disparate business processes as part of a functional digital chain, are under the security auspices of multiple organizations, each of whom in nearly all cases is focused on the proper operation and security of their own piece. The lack of coordinated protection leads to an aggregated security circumstance with unknown vulnerabilities and inconsistent protection – ‘weakest link.’
So, the problem is real, the vulnerability serious, the impact large, and the security gap is omnipresent. How do we protect our businesses when the deck is stacked against us? Is that even possible at this point? Well, now for the good news. Yes, it is, and yes, you can.
Start At The Endpoint
The first move in mitigating the security gap is to accept the proposition that the application is an endpoint. We normally think of endpoints as hard devices that we can touch such as desktop computers, laptops, tablets, and smartphones. Web applications, however, are amorphous, things that just exist and can access an organization’s infrastructure through any number of APIs. Mobile apps present there on unique security risks as a result of high demand for app functionality, time to market pressure and minimal IT security governance. Compounding this problem mobile apps are delivered to users and bad actors alike, usually without any protection against reverse engineering that can easily result in exposure of PII as well as API access locations and passwords.
These new endpoints all require a heightened level of protection that starts with protecting the code.
Keeping your mobile and web apps from being weaponized against you begins with obfuscation which makes it much more difficult for attackers to decipher and analyze application code. The more difficult to decipher, the more difficult it is to reverse engineer the code which helps frustrate and undermine attacker attempts to exploit vulnerabilities in the code.
However, a second layer of protection is necessary to truly secure attempts to co-opt apps. In this era in which damage can be done in moments, not minutes, it is essential to have active protection that can thwart application assaults. When code analyzing, tampering, or other nefarious activities are executed, there must be an inherent security action that can shut down attacks and quickly repair attacked code. This additional layer of protection for web and mobile applications, combined with obfuscation, makes your organization a hard target while also providing users, shareholders, and customers the confidence to conduct business without worrisome concern.
Additionally, the use of white-box cryptography provides another layer of app security. White-box cryptography ensures the keys used to encrypt data communicated with back office systems remain secure and cannot be found, or extracted from the app and used elsewhere.
Commit To Real-Time Awareness
Knowing at the moment of attack is another essential security strategy element to protect web and mobile applications. A combination of vigilant observation and detection combined with quick mitigation create a new position from which threats can be recognized and dealt with in swift order before they can wreak havoc. It’s not enough to have monitoring and detection that can generally raise a concern that something might be happening. The effective velocity of threat analytics must spot code tampering attempts fast enough to buy you precious time to get in front of attackers and employ defensive actions to stop and attack before it can cause extensive damage.
Console overflow and data overload are two of the most cited problems today when it comes to cybersecurity. Making sense of data and alerts to get to what’s really happening on the network is tough enough, but add the cloud – especially multi-cloud environments – and the sprawl of web applications interacting with third-party services and processes, it can be all but impossible to identify assaults in real time. This is where the bar must be raised on what exactly “threat analytics” means and that standard must be aligned and set in the correct proximity of your business processes.
Effective automation and analytics can only be useful if the spatial placement of web and mobile application security and mitigation is appropriate to the processes and information to be protected. This means much more than just simple detection. The requirement is both means and measures to shut down the route to data and to insulate your business from the security failings of digital process chain players whom you don’t control. Real-time knowledge, real-time action.
Take The Wait Out
Arxan has been architected and is built for today’s threats that surround all organizations. These threats are aided by the latency caused lagging security coding practices, slow adoption of new standards, and an intermingled world digital process chain based on disparate technologies and inconsistent security goals and business.
Application scanning is only a part of application security and a flood of alert messages will only get you so far in protecting against never-ending attacks. To protect the things you control, and to minimize the impact by things you don’t, it is essential to have inherent resilience against attempted attacks. Having immediate knowledge of and enabling immediate defensive measures against those attacks when they happen can help protect your organization in all circumstances no matter how wide the gap.
The point is there is no need to wait until your organization adopts new security standards or scales their DevSecOps processes. Whatever the pace, however complex the journey, business processes and data must be protected now. Mobile and web app attack vectors provide an easy target for those seeking to profit from cybercrime and that will not change anytime soon. The need to act is now – raise the bar, protect the code, and align application security with the business. Mind that gap.
1 Forrester, The State of Application Security, 2018
2 2019 Microsoft Inspire Corenote address, Satya Nadella, July 17, 2019