How Secure are Web and Mobile Applications Today?

HP’s latest Cyber Risk Report found that well known attacks are still commonplace and vulnerabilities that give access to unnecessary files and directions are dominant issues.

 

Misused security features trouble both Web and mobile apps

86% of web applications had issues involving authentication, access control, and confidentiality

Significant increase from the previous year’s rate72%

97% of mobile applications affected by these issues

Programmers still make fundamental security mistakes when coding

52% of web applications suffered issues of Input validation including Cross-Site Scripting, SQL Injection, and other vulnerabilities

48% of mobile applications contained input validation vulnerabilities

 

Vulnerabilities also exist outside the application code

82% of web applications had vulnerabilities related to server misconfiguration, improper file settings, outdated software versions, and other issues related to insecure deployment

70% of mobile applications were impacted by these issues

Even perfectly coded software can be dangerously vulnerable when misconfigured.

Information courtesy of HP Cybersecurity Risk Report 2015

How Secure Do You Think Your Enterprise Apps Are?

How confident is your organization with regards to your applications security? Take our healthcheck to find out.

1. What’s your role in your organization?

2. What is the size of your organization ?

3.

4. Where is your organization based?

Now let’s find out if your apps are secure. (Choose one answer.)

1. Does your IT department conduct a reporting on key security indicators on a daily, weekly or monthly basis?

2. Is a security check carried out and formally accepted prior to deploying any applications?

3. Do your test the security of your web and mobile applications?

4. Are your application developers trained on applications security?

5. What is your password policy for critical applications (Quelles sont vos exigences sur la complexité des mots de passe dans les applications critiques ?)

6. Does your IT department formally approve the installation of any applications on workstations or professional mobile devices?

7. Do all mobile apps encrypt business information with tools accredited by your IT department?

8. Do you have a process for testing the security of applications during development and prior to release?

Master of Cyberdefense

Excellent! Your organization has all the right basics already in place. You may find a few more recommendations from HP to secure your apps.

Watch out! A hacker’s about.

Well done. Your organization have put in place some of the key basics to protect your web and mobile applications but there’s still more you can do to keep out cybercriminals. Often vulnerabilities happen at the design stage of applications. Read these examples and get tips on how to avoid them.

You’ve been hacked!

Only joking but on a serious note, your organization needs to put in place more of the principle elements quickly to better protect your enterprise data through better web and mobile applications. First read Yves Le Floch’s article to fully understand the impact of securing your applications.

 
 

Evolving security from ‘something we have’, to ‘something we do’

In the past, IT departments took a default approach to cybersecurity that resembled a medieval Prince constructing his castle. Build the walls as high as possible to defend against arrows and as thick as possible to resist the battering rams. Dig the deepest, widest moat to keep any invading army at bay, then build a keep – the highest point, the center of defence – and lock all of the treasure inside.

Replace the physical weapons – ‘arrows’, ‘battering rams’, ‘armies’ – with cyber weapons – virus, phishing or spoofing attacks, intrusions – and it’s the perfect analogy for how data was traditionally protected. The problem with the ‘castle’ approach, though, was its inability to protect organizations from the mounting number of complex, calculated and malicious cybersecurity threats they faced... You simply couldn’t build walls that were big enough or moats that were wide enough. Furthermore, the castle was to be connected to more and more friendly fields (mobile and web applications, partners and providers systems...), so there were plenty of weak gates in the walls.

Today, the number of different ways a hacker can access company data – through a vulnerability in just one of the hundreds of applications an IT team supports or one of the thousands of different endpoints that an organization relies on to ‘do business’ – is overwhelming. At the same time, the skill, guile resources and determination of cybercriminals are increasing all of the time. If Fortune Global 500 companies and government agencies are struggling to defend themselves in this environment, what can the rest of us do?

The approach that smart CIOs and IT departments have come up with, is changing their attitude towards cybersecurity, and shifting their strategy accordingly.

The approach that smart CIOs and IT departments have come up with, is changing their attitude towards cybersecurity, and shifting their strategy accordingly. They have stopped dealing in absolutes – ‘my IT security solution is impregnable’ – and started accepting shades of grey. They have stopped treating security as ‘something we have’, and started thinking about it as ‘something we do’. Security can’t be a state, it must be a constant process of testing, monitoring, evolving and adapting.

Application security – incorporating web apps and mobile apps – is the perfect place for every business to start. 80 per cent of cyber attacks on organizations take place through vulnerabilities in the applications the business uses day-in, day-out for everything from communication and collaboration to CRM and accounting.

For cybercriminals, the logic is impeccable. New attack methods emerge every week, and all too often developers lack the skills to ‘bake’ security into their apps at the development stage, increasing the likelihood of loopholes that cybercriminals can exploit. Therefore these types of applications require regular software updates to fix bugs, and in the middle of a hectic IT department, it’s a safe bet that some of the versions will be out of date, or vulnerabilities left unpatched, leaving the door open for data breaches.

Top CIOs are fighting back by embracing what we refer to as the ‘industrialization of application security control – in simple terms, working with partners to robustly test and continually monitor the security of an application that an organization uses, and apply that rigour at scale to every single application in the business. The earlier that this takes place in the adoption and development of an application, especially for critical ones, the more effective it is.

I’ll leave you with one final analogy. If you’ve ever seen the film Ocean’s Eleven, you’ll know not even the vault of the famous Bellagio casino – with its state of the art security system and failsafe mechanisms – is 100 per cent secure. No corporate IT network is, either. It’s only through vigilantly monitoring threats every minute of every day and continually evolving systems, applications and processes that businesses can protect their most critical assets.

Yves Le Floch, Vice President, Cybersecurity, Sogeti

Read why it’s important to put cybersecurity at the heart of your digital transformation

Read the article in full

Five Apps Breaches You Never Knew Happened

Here are five surprising application design flaws real organizations didn’t know they had! Luckily these were fixed before hackers found them. To design better, protected applications read each essential tip in each scenario.

1

Online phone retailers give away free iPhones

A telco provider had first stock of the latest iPhones. Customers could pre-order their iPhone and get it for free if they purchased the most expensive phone subscription plan.

Selecting the subscription plan and the latest iPhone, customers would see the two separate items in their online shopping basket: the payment plan and the free iPhone.

What’s the hack? Savvy customers would remove the payment plan from the basket and get the iPhone for free!

+ Read the solution

Solution

Tip: Enforce your business rules in all steps of the process.

- Close

2

Cheap meals delivered to your door hack

An online food delivery website connected local food businesses and hungry people. They paid businesses in one bulk sum of all orders every month, which saved time and helped businesses generate more revenue.

Customers would pay for their meals in the shopping basket. What the site did not see was that the payment amount was visible in the source code and easily editable.

The result? Hungry students bought hundreds of pizzas for as little as 1 cent without being noticed.

+ Read the solution

Solution

Tip: Never trust user input and always do calculations on the backend, where the prices are known and can’t be altered by the customer.

- Close

3

Major bank gives easy access to customers’ accounts

One bank allowed customers to view their stock and share options in their account interface via a separate part of the site.

By clicking on ‘View my stocks’, the website would show www.bank.com/stocks. Hackers could find and access the customer’s account number via the separate site’s setting.

The worst thing is that this bug already existed 15 years ago and appeared again recently.

+ Read the solution

Solution

Tip: Always carry out a lessons learned after a breach. Never reproduce the same design and requirements to new versions without referring to past incidents.

- Close

4

Online Payment System and local businesses free goods giveaway

An online payment system similar to Paypal offered three types of services to verify payment:

  • Free: No verification of payment
  • Low-cost: Url verification
  • Pro: Call-back from bank to online business to verify payment has gone through

For the low-cost version,after the shopper selected the payment he would be redirected through the Online Payment System to his bank. The URL would look like:
www.onlinepayment.com/pay.jps?transaction=X&payment_succes=www.shop.com/transaction_state=Y&payment_fail=www.shop.com/transaction_state=Z.

To fool the store into thinking the transaction had been paid, the shopper could copy and paste www.shop.com/transaction_state=Z into his browser to skip the whole banking process and return to the store.

+ Read the solution

Solution

Tip: Always verify remote decisions either by cryptographically signing them or by use of out-of-bound communication.

- Close

5

Government public services. An ideal target for political warfare

A country’s government services wanted to provide a single sign-on for their citizens to provide easy access to public services. Instead of the person choosing their own username, their social security number is their username instead.

If an password was incorrectly entered more than four times the account would be locked. This means a reactivation had be done, for which the activation code would be sent by post. This would take one full work week. With a simple algorithm, hackers could find out all possible social security numbers and log into each account four times with a known wrong password.

The result? A hacker could create a denial of service and disable the whole country for a week!

+ Read the solution

Solution

Tip: Use a delayed lockout based on time and a captcha to prevent an automated DoS. Also implement the use of 2-factor authentication.

- Close

 

Top 7 ways to secure your mobile apps

As mobile development becomes more mainstream, there’s no better time to start thinking about mobile security. Too often, a mobile team will put features over security to get the product out of the door but to achieve a fully positive user experience, you just cannot ignore security.

Read the article in full

According to OWASP*, these are the top 10 risks for mobiles.

* Open Web Application Security Project

  • 1. Weak Server Side Controls

  • 2. Insecure Data Storage

  • 3. Insufficient Transport Layer Protection

  • 4. Unintended Data Leakage

  • 5. Poor Authorization and Authentication

  • 6. Broken Cryptography

  • 7. Client Side Injection

  • 8. Security Decisions Via Untrusted Inputs

  • 9. Improper Session Handling

  • 10. Lack of Binary Protections

To ensure that you do not fall into these traps, here are 7 things you can already do to protect your mobile apps.

1

Don’t store data if you don’t have to

Store your sensitive data securely and even better, don’t store passwords or personal indentification information.

2

Remember to look at the server side

The server side is the most often overlooked piece of the mobile application, and therefore usually yields the most critical vulnerabilities. Validate all input and use a whitelisting approach for special/control characters.

3

Encrypt and protect your traffic

Secure your communications across networks. With pentesters, check that your TLS implementations do not do any of the following:

  • Trust any certificate it sees (self-signed or any root)
  • Allow expired certificates
  • Can connect to HTTPS once, and then fall back (mixed mode)
4

Know your OS to avoid unintended data leakage

Look at your target OS and ensure that none of the operating systems features leak private data.

5

Know your libraries

Audit any baked in Ad or Analytic Libraries for unnecessary transmission of private data and make sure you proxy the application during QA testing.

6

Analyze mobile traffic data

Beware of the hidden communications that your mobile applications perform. Your mobile communications talk to more than one destination and therefore your data is shared to more than just one network.

7

Make it hard for the attacker

Harden your binaries. Look to see what easy and free binary defences your developers can implement.

Daniel Miessler, Practice Principal, HP Fortify on Demand

Less Scroll down

Meet the authors

Yves Le Floch VP, Head of cybersecurity business development,
Sogeti

View profile

Marinus Kuivenhoven Senior Security Specialist,
Sogeti

View profile

Daniel Miessler Practice Principal,
HP Fortify on Demand

View profile