CHAPTER 4: INTRODUCTION TO APPLICATION SECURITY THEATS
All businesses today use software automation to streamline their core functions – selling, procuring, production and customer relationship management.
People performing these functions make use of data to perform their work. For example, employees working in a bank use customers’ account balances to clear issued cheques, to create account statements or to calculate interest paid. The data – the customers’ account balances in this case – is fundamental for this function of the bank. Any loss or inaccuracy of customers’ account balances will jeopardise the bank’s functioning. Similarly, since customers’ account balances are important data, a bank wants only authorised people to have access to it, and that too only for the purpose of completing their designated work, and nothing else.
Similarly all businesses, to varying degrees, rely on the availability, confidentiality and integrity of the data that is vital to their business.
In a non-computerised environment a business stored its data on paper and files, and authorised people were allowed to use and modify it. Confidentiality, integrity and availability of data were achieved by the use of manual checks and controls. Examples of such controls were locking paper files, tallying data after it was modified, and creating copies at multiple locations.
Today most businesses use software, instead of paper files, to store and process these data. Therefore, checks and controls need to be implemented on software to prevent compromise of data. Computer attacks are as old as computers themselves. Attacks directly on applications are increasingly popular among hackers. Here are some examples:
In 2004, attackers targeted a credit card processing company’s applications and gathered transaction records of several millions of its customers, and used customers’ credit card details to carry out fraudulent transactions.
In 2005, vulnerability in a leading business-process software product could allow users to access documents they were not authorised to access.
In 2010, the Stuxnet worm exploited a vulnerability in the Windows operating system to attack industrial systems.
In 2013, Drupal, provider of an open source content management framework, revealed that cyber attackers had stolen the details of a million users by exploiting vulnerabilities in third-party software.
Since 2011, many prominent brands including LinkedIn, Apple and Sony have been breached due to vulnerabilities in their web applications.
There have been numerous such incidents, and the number has been increasing sharply. According to the Symantec 2014 Internet Security Threat Report, there was a 91% increase in targeted attacks campaigns and a 62% increase in the number of breaches in 2013.12 There is considerable evidence that the majority of security incidents are (through embarrassment or fear) never reported, so the actual number of security incidents is likely to be much higher than stories in the media might suggest.
At first it seems that such threats only affect Internet-driven businesses, such as e-commerce and Internet banking. But that is not the case. All types of business and function are affected by attacks on software. For example:
- By exploiting weakness in enterprise resource planning (ERP) applications, an adversary can obtain sensitive financial information about a company for corporate espionage.
- In a banking application, money can be siphoned off from customers’ accounts if the software does not deploy appropriate defences.
- A company’s payroll system can be targeted to obtain salary details of other employees.
- A user can bypass checks in an e-commerce site to modify the price list or offer fake discounts.
- Social networking sites have become targets for stealing personal information about people.
- Technology companies in US have been subject to cyber espionage and IP theft.
- Compromise of telecom applications has led to fraudulent billing and theft of customer data.
Awareness is slowly increasing about security holes (what are called ‘vulnerabilities’ and ‘bugs’) in applications, and the attacks that could exploit them. There are regularly updated lists of commonly identified application vulnerabilities and bugs available. The most important databases are:
www.owasp.org/index.php/OWASP_Top_10
cve.mitre.org
nvd.nist.gov
Hackers, of course, are also aware of these databases. They will use the integrated development environments, testing tools, databases and notifications to quite deliberately target identified vulnerabilities. Hackers have exactly the same approach to return on investment as anyone else, and see little reason to find more obscure vulnerabilities to exploit while there is still a rich seam of widely-unsecured, known vulnerabilities to exploit. This alone makes it important for any credible information security management system to ensure that it has secured all the most common vulnerabilities identified in these databases.
The application development process has also been evolving to fix or remove holes that could pose a threat to applications and the organisations using them. However, attacks on applications are also evolving with newer attacks or newer forms of existing attacks appearing constantly. Table 2 lists two of the most prevalent attacks on web applications. Over the years awareness about these attacks has increased and so has their use by attackers to target web applications.
Table 2: Examples of web application security attacks
Top three prevalent web application security attacks |
|
Injection attacks |
SQL injection attacks allow an adversary to run unauthorised SQL statements against the database through the application, providing complete access to the database. SQL injection was first documented in 1999, and has been top of the OWASP Top 10 list for the last several years. Command injection attacks allow an adversary to run unauthorised operating system commands at the server, providing complete access to the server. |
Attacks on authentication and session management |
Attacks on authentication and session management allow an adversary to impersonate a legitimate user, and to perform unauthorised actions on the system. |
Cross-site scripting (XSS) |
Cross-site scripting allows an adversary to run malicious code over another user’s browser, allowing them to read and modify any information on the user’s system. This could also be used to deface websites and conduct phishing attacks. |
There has been an increase in the number of attacks and in the number of people who can carry out these attacks, as shown by the hacking incidents database at www.webappsec.org/projects/whid. Many organisations, however, have not implemented effective or appropriate security controls in their applications – not even to cover yesteryears’ attacks. This can be attributed to various factors – lack of awareness of security threats, shortage of skills to develop secure applications, over-reliance on network security controls (even though they are not designed to defend against application security attacks), or the absence of past security incidents, giving rise to a false sense of security.
The reasons could be many, but with increasing threats and attacks on applications, and applications playing a more critical role in the business, organisations need to focus on application security in order to comply with ISO/IEC27001 and to meet their obligations to protect their customers, their interests and their assets.
The next chapter elaborates on the state of security expected from an organisation certified (or seeking certification) to ISO27001, and describes how application insecurities can compromise that objective. You will also see the application security controls of the standard, and what the application security best practices expected for certification are.
The subsequent chapters will help you understand various forms of attack on applications, and how you can build applications that are more resilient to ever-evolving security threats and attacks. When implemented, the methodologies and guidelines presented in these chapters will help your organisation build more secure applications.