This post is from the Arxan blog and has not been updated since the original publish date.
The App Is The Endpoint
Traditional Endpoint Security is dead, that is to say that hardening the laptop, desktop, or device is not a panacea. In reality today, everything is connected to the web in some form — whether it is your computer, phone or tablet — or your server, HVAC, POS system, front door, etc. Securing “endpoints” in the traditional sense is impossible. Many of the new connected devices on the market are not designed with operating systems or firmware capable of being patched on an ongoing basis, nor do organizations have the manpower to be constantly maintaining and updating... Every. Single. Endpoint. Plus, there are too many connection points and dependencies between device - application - API - network - server - 3rd party - etc - that could be compromised and turned into vulnerabilities.
From 2017-2018 there were over 53,000 reported cybersecurity incidents and 2,200 confirmed data breaches — 21% in which a web application was the vector of attack. What are they targeting? Payment card data, PII and intellectual property are all up for grabs — and attackers are motivated by any means necessary to steal what is most important to your organization.
The device is the problem. The app is the solution.
Today, apps provide the broadest attack surface area because they are literally everywhere. The saying “there’s an app for that” has manifested in every component of modern day living — from the app that controls the systems in your car — to the app that is embedded in your pacemaker to deliver real-time medical data to your doctor — to the POS app in the coffee shop where you swipe your debit card. The world runs on apps, not on what have been traditionally considered endpoints. Think of it this way, you have may have one mobile phone, but how many apps are installed on that device? Each one is a potential attack vector for both your personal and business data.
It is time to re-think how to secure endpoints. If the device your application is running on is not properly secured, you are at risk. Even if your device is properly secured, your application might still be at risk to be tampered with or reverse engineered. So where do you start?
In today’s zero-trust world, you should start with the assumption that the device is already compromised, and then think about how to protect your critical data and your intellectual property.
Treat the app as the endpoint.
Applications contain a significant amount of information that could provide signposts for attackers to compromise your critical infrastructure, bypass security controls, or hand-deliver important data that lives inside the application on the device. It is critical to protect your application from being compromised or freely giving attackers your cryptographic keys, API endpoint references, payload formats, credentials, account information and more.
Close the loop.
Empower the application to assess its surroundings and identify risky behavior via app-centric telemetry. Once an app is released into the wild, it is impossible to know how it is being attacked or what information attackers are targeting without app threat analytics. Real-time app analytics can give you the confidence to protect your organization’s data and infrastructure by providing visibility into:
- the environment where your app lives
- the security posture of the app
- how and where the app is being attacked
- what to do to update protections so the app (and its underlying data and structure) is not compromised
Beyond that, app threat analytics helps you to understand which devices, applications or users may be compromised so that you can better protect your other critical resources.
Don’t put your head in the sand.
Bad actors are constantly looking for new vulnerabilities to exploit within an organization’s infrastructure. It is a foregone conclusion that they WILL find a way in — they WILL find your weakest link. The question is: how quickly will you detect and remediate the threat?
As the demand for instant gratification for customers drives app developers to put more and more dynamic content and business critical data into the client side of apps to improve responsiveness and performance — the app as an attack vector will become a treasure trove for bad actors.
In the latest Market Guide for Application Shielding, Gartner advises: “security and risk management leaders must harden their application front ends to avoid turning them into an attack vector.” The risk for lost customer data, IP theft, brand damage or lost revenue is too great to ignore.
Learn how Arxan can help.