Death by a thousand apps

Application vulnerabilities are the latest attack vector – why you should pay attention, and what you can do about them.

"He who stops being better stops being good", anti-monarchist revolutionary Oliver Cromwell once said in the 1640's. Information security is a similar case – an ongoing game of one-upmanship between hackers and security researchers. As businesses improve their system and network security, and Small to Medium Enterprises (SME's) widely deploy firewalls and anti-virus and anti-malware technology, cyber-criminals are turning to another weak link in the chain – custom-built applications.

Without these web apps, the brave new world of web 2.0 would be dull indeed, but their widespread deployment is beginning to cause companies a serious headache. It is hard to judge how widespread the problem is, but the influential SANS Institute recently calculated that the issue ranked as the top developing threat next to gullible users being seduced with socially-targeted attacks.

"Everyone is exposed to this threat, with smaller companies being the most at risk. The biggest issue now is the increasing use of automated tools to attack these applications – this is right in the sights of the attack community," said Alan Paller, Director of Research at the SANS Institute.

This development marks a noticeable departure from the previous status quo, where applications that were most commonly used were attacked, such as software packages from Microsoft, or designed for open-source Apache. Now the attack community is aiming at very specialised, internally created applications, many of which hook into critical elements of an online brand, such as employee and customer databases. The value of the data contained within is huge, as it can be used to target spear-phishing attacks, which are likely to have a far higher success rate if based on correct data. "Databases are typically where businesses crown jewels are kept", said George Fyffe, MD Application Security, EMEA, "and the more functionality these databases have built in, the more likely vulnerabilities they have."

This problem will continue to grow, as people are not taking action...
Yaacov Sherban
CEO, Applicure
The central problem, according to Paller, is that while thousands of custom applications have been built over the last few years, many of them were never designed with security in mind. "Often the developers that built these apps simply had no clue about designing code that was inherently secure. Two years ago this wasn't a problem, because there wasn't anyone attacking them, but now people are, action needs to be taken."

Yaacov Sherban, CEO Applicure thinks that custom-built applications themselves are liable to compromise: "All applications are insecure at some level. Some are very good and built well, but hackers can certainly get through about 99.9 per cent. It's like water – it will find the weakest point to flow through. We're seeing around a 50 per cent growth rate in vulnerabilities every year, and many companies are not keeping up to date with patches and versions, even where available."

Of course, the change in focus has caused a change in responsibility. Before where companies were waiting for a larger software vendor to issue patches, now it is down to the creators of the custom application, many of which are built in-house.

Sherban added: "This problem will continue to grow, as people are not taking action, and the solutions that exist are not always easy to implement. Larger companies are often better protected than smaller ones, as they have larger budgets to deal with security issues. The good news is that there is a fairly slow growth in attack verticals, and new techniques are not common, so keeping up with the attack community isn't as difficult as in the anti-malware space, for example."

So what can businesses do to combat this threat? Alan Paller recommends four potential solutions:

  • A web application firewall that checks the validity of requests made via the application
  • A blackbox scanner, that tests applications by flooding them with requests
  • A whitebox scanner that scans the source code for errors and conflicts – an intensive and resource-hungry process that can result in a lot of false positives.
  • Lastly, a company can employ expert application penetration testers, who will use hacker-type exploits to trial your applications.
  • He continued: "One of the biggest companies in the US tested around 640 apps using these four tools. Although the first three found a lot of problems, and 40 critical vulnerabilities, the application pen testers found three times more than this. The trouble is that all these moves are reactive, and this type of defence won't slow the problem."

    Paller believes the long-term solution to the issue is to educate application developers about secure coding principles. "Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications. A few years ago, developers never thought about malicious users. Tired users, yes, but the idea that people might actually be using your application merely to bypass it and access the database just never occurred – nobody is without blame for this situation."

    There are moves afoot however – the Secure Programming Council released in November 2007 the first standard of due care for Java/JavaEE programmers, and there are more standards in the pipeline for 2008. The council is made up of more than 40 global user firms, and claims that the standards outline in detail the security knowledge and skills that web programmers should be able to demonstrate.

    The UK market for application security is due to accelerate in 2008, according to Fyffe. "We've certainly seen more interest end of last calendar year, and expect that to continue, mainly due to the rise in publicity over data breaches. The UK government's recent data catastrophe has brought the issue into the public domain, and now would be a very bad time for a government department or business to admit to data loss through a lack of application security."

    Additionally, both the PCI DSS standard, and SOX call for all businesses to secure their web applications. Both regulations are relatively recent entrants to the UK, and PCI compliance for one has been effectively delayed till mid-2008 due to compliance issues. However, the fight-back has begun, and businesses have the opportunity to get better, and hopefully 'good' again – at least for the moment.

    Read more on Application security and coding requirements