Never underestimate the threat of cybersecurity attacks

Why investing in security is essential
Enterprises are often reluctant to invest in securing their computing systems because security is mistakenly considered to be an expensive investment with no associated revenue. If a company invests in enriching its catalog or improving the user experience, the revenue is immediate and tangible. On the other hand, investing in security is expensive and does not generate any new business. In order to improve security, it is necessary to hire security experts, purchase new hardware and software to enforce security at every system level, and most likely change the design and implementation of existing web and mobile applications, and yet none of such changes is going to increase a company’s revenue.

Security is the most important investment that a company can
ever make

Nevertheless, security is the most important investment that a company can ever make. While it may be true that an investment in security is unlikely to generate new business, it cannot be denied that investing in security will prevent a company from experiencing seri-ous financial losses and seeing its reputation compromised, perhaps irremediably. The damage can be so significant that even established companies have gone out of business after a cybersecurity attack.

Security as a holistic approach
It is often said that security, just like the proverbial chain, is only as strong as its weakest link. Therefore, when it comes to protecting a computing system, companies must take a holistic approach and secure every single component of the system: hardware, software and network.

Hardening the software component is particularly tricky because security vulnerabilities can be nested deeply into software application code, which makes it difficult to discover and eliminate them. This is the main reason why hackers are constantly searching for new ways to attack a system by exploiting vulnerabilities in its applications. As a consequence, a system deemed to be secure today may be found to be exposed to a new type of attack tomorrow.

The Open Web Application Security Project (OWASP) is a community dedicated to enabling organisations to securely design, develop, and maintain applications. Once a year, OWASP reports the most common security vulnerabilities in web and mobile applications. Such vulnerabilities can be classified into three major categories: information flow, access control and configuration.

Information-flow vulnerabilities
Information-flow vulnerabilities are those that lead to integrity and confidentiality violations. An integrity violation occurs every time a piece of untrusted data is used as input to a security-sensitive computation without having been properly validated. For example, if data entered by an end user in a text field of a web page is used to form a database query without proper validation, there is the potential for an injection attack. The programmer must make sure that the text entered by the user does not contain pieces of Structured Query Language (SQL) code, which may lead to the creation of unintended SQL commands. Such commands can compromise the integrity of an entire database and/or expose confidential data.

If the text entered by the user is intended to become part of an HTML page, the risk is for attackers to embed JavaScript code into the input text. That JavaScript code, in spite of be-ing text, will not be rendered by the browser as normal text, but passed to the JavaScript runtime and executed. This attack, known as Cross-site Scripting (XSS), can give an attacker the power to execute arbitrary JavaScript code on the victim’s computer, with the potential of causing extensive damage, such as impersonating the victim in social-network systems, making purchases online on behalf of the victim, and accessing and modifying the victim’s bank-account data.

If input data is used to form a URL without having been properly validated, the application can point to unintended contents, with the potential of stealing end users’ private infor-mation and compromising the reputation and reliability of a company. These types of at-tacks are known as unvalidated redirects and forwards. Typically, a user is redirected to a malicious web page that, on the surface, looks exactly like the page the user expects to see. Under the covers, however, the code of this page steals the private information entered by the user and shares it with unauthorised servers on the internet.

A confidentiality violation occurs every time private data is exposed to unauthorised observers. This can happen when an application does not properly protect the data of the user, or when an application stores user data in a file system or cloud-based location also accessible by other applications.

Access-control vulnerabilities
Access control deals with restricting access to computer resources based on the identity of the user requesting access. The two main components of an access-control system are authentication and authorisation.

A form of access-control vulnerability, known as broken authentication and session management, occurs when an application cashes user authentication information in session tokens that are not properly protected, thereby allowing attackers to hijack active sessions and assume the identity of authenticated users.

An insecure direct object reference occurs when a developer exposes a reference to an internal implementation object—such as a file, directory, or database key—without an access-control check. Attackers can manipulate such references and access unauthorised data.

Configuration vulnerabilities
Good security requires having all the applications, libraries, frameworks, application servers, Web servers, databases, firewalls and operating systems properly configured. Default configurations are often unsecure. Secure settings should be defined, implemented, and maintained. Additionally, software should be kept up to date. When these requirements are not properly implemented, a security-misconfiguration vulnerability may occur, with the potential of causing integrity and/or confidentiality attacks.

Software modules—such as libraries and frameworks—almost always run with full privileges. Using components with known vulnerabilities can facilitate data loss or server takeover. A recent example of this is the remote-code execution with Expression Language injection vulnerability that was discovered in January 2013 in the Spring Framework for Java. A fixed version of the framework was published shortly after the vulnerability was discovered. However, it is estimated that 29.8 million downloads still contain the known vulnerability.

Broken-cryptography attacks take place when an application uses non-standard, non-tested cryptographic algorithms, or applies cryptography incorrectly. In June 2014, a broken-cryptography vulnerability in the Android Platform V4.3 allowed attackers to obtain from end users’ Android devices all sort of sensitive credentials, including cryptographic keys for banking services and virtual private networks, and PINs or patterns used to unlock the devices.

Program analysis
To prevent their applications from being attacked, enterprises must make security part of all the phases of the software lifecycle, and proper code review must be in place. Obviously, manual code review is tedious, time consuming and error prone, not to say infeasible, especially for large applications. A valid, alternative solution is to automate the code-review process by combining static and dynamic program analysis.

Manual code review is tedious, time consuming and error prone, not to say infeasible

With dynamic analysis, an application must be installed in a testing environment and executed multiple times with different input parameters, looking for vulnerabilities to be exposed. The advantage of this approach is that any detected vulnerability is a true positive. The disadvantage is that this approach can have false negatives, due to the fact that it is often impossible to explore all the possible paths of execution with all the possible inputs, causing some of the vulnerabilities to remain undiscovered, perhaps until the application is in production.

When static analysis is used, there is no need for the application to be installed. The static analyser parses the application code and builds a mathematical model that over-approximates the application execution. The analyser detects the vulnerabilities based on that model. The advantage of this solution is that it is fully automated and has potentially no false negatives. On the other hand, static analysis is conservative by construction; false positives are possible, and so each result must be manually reviewed in order to filter out the false positives and correct only the actual vulnerabilities.

A combination of static and dynamic analysis mitigates the disadvantages that arise when static and dynamic analysis are executed individually.

Enterprises must take a holistic approach when it comes to security. Since most cybersecurity attacks take place at the application level, which is unique to each individual company, it is critical for organisations to secure software application code. A combination of static and dynamic program analysis is the recommended solution to detect and correct application-level cybersecurity attacks.