Veracode’s annual software security status reportSecurity flaws were found in 80% of the applications examined. Many of these address well-known problems that have existed in web apps for years. Akamai’s latest State of Internet Security reportanalyzed traffic through its infrastructure and found that “web attacks against applications and APIs surged 49% between the first quarter of 2023 and the first quarter of 2024.” “As demand for applications and APIs grows exponentially, they have become lucrative targets for threat actors looking to exploit security holes to gain unauthorized access to their targets’ sensitive data.”
Over the past few decades, software developers have proposed a variety of security initiatives to combat this trend, including Secure by Design, Defense in Depth, Shifting Left, and DevSecOps. However, the problem of insecure apps still persists. This is because one poorly designed app can infiltrate a company’s entire network and cause a large-scale data leak.
We propose five starting points and ways to prevent wrong decisions that can have serious consequences for corporate security and strengthen your security posture.
Incorrect input control
Writing all code begins with understanding what data input is needed. This means paying attention to how these inputs are consumed in your application. Having little control over this input leads to cross-site scripting or SQL injection attacks because these attacks (and other exploits) take advantage of lax input control.
“A very common case is missing or poor input validation,” says Tanya Janka, who is writing her second book on application security and has consulted on the topic for several years. sneak too blogDevelopers must “ensure correct input validation and that data is syntactically and semantically correct,” he said. “You should always validate your backend input and sanitize it appropriately,” Stackhawk says. revealed.
Given the frequency of this advice, why are there still apps without proper input controls? One reason is that developers often start writing apps without controls to simplify testing and forget to go back and review their work. Another reason is that the developers didn’t focus on security from the beginning, which is also the origin of Shift Lift.
CISA’s latest best practicesAccording to , it is recommended that products systematically apply parameterized queries and separate the command input from the content of the command itself.
Incorrect authentication and loose permissions
The second common problem is related to the application’s lack of robust authentication and role-based permissions. It’s not a new problem, but it’s one that’s often overlooked by app development teams in their rush to write and publish more code. The basics are important here: creating and understanding access rules, implementing multi-factor authentication (especially for administrators and administrators), and removing default (or absent) passwords from coding projects or resources.
One aspect of lax authentication has to do with ‘secret sprawl’, which is the mistake of using credentials hard-coded into APIs and code, such as encryption keys and login passwords. Git GuardianWhen we tracked this issue, we found that almost all breaches that leak these secrets remain active for at least five days after the software creators are notified. One-tenth of open source authors have leaked secrets, equating to the misbehavior of approximately 1.7 million developers.
Correcting these deficiencies is reflected in numerous best practices, from individual vendors to CISA’s own documents. The goal here is to determine who actually needs access to each specific resource, and periodically monitor that relationship to ensure that the role is still valid. Additionally, you should remove credentials when data access is no longer needed and perform regular audits of these credentials and permissions.
Invalid API protection and enumeration
As APIs proliferate and applications become more interconnected, developers must ensure that this communication path is protected and safe to use. Hosted by Salt Security API Security Status Report, Q1 2023According to , nearly all of the 400 enterprises experienced security issues in their operational APIs by 2023, with 17% experiencing an API-related breach. “Unfortunately, the threat continues to grow and the potential attack surface continues to increase,” said Adam Roker of OPSWAT.
from the Internet Archive last month. 3 separate breachesAll were related to API keys that were not properly protected. “APIs exposed as public assets increase the attack surface and are a priority target for malicious actors,” Gartner principal analyst Dale Copen told CSO. “The application attack surface has grown exponentially, which is causing compromised code to rush to market.”
“It’s very easy to find APIs that aren’t hidden behind an API gateway,” Janka said. “If it is exposed to the Internet, someone malicious can find it and exploit it,” he warned.
Amiram Shachar, CEO of Upwind.io, said developers should continuously test for API vulnerabilities and monitor API traffic in real time to identify threats and streamline response. “API security is not a stand-alone tool; it is a part of overall cloud security. “It has to be part of the package,” he emphasized.
F5 2024 Application Strategy Status ReportAccording to , 41% of companies surveyed manage as many APIs as individual apps. They expect the proportion of APIs to continue to increase as AI implementations evolve and more complex apps are built.
However, Internet Archive developers have unfortunately come to realize that building an API gateway is only one part of an overall API governance strategy. Enterprises must apply consistent, comprehensive security policies across their entire API infrastructure and be able to adapt to new threats and unusual behavior.
wrong tool
Now let’s talk about tools. The tooling challenge for maintaining a high level of app security is two-fold. The first is gathering the right set of tools to help you discover and solve problems. What makes this difficult is that there is no single universal security tool, so tool selection requires careful consideration to reduce coverage gaps as much as possible.
Gartner three types of TaoI propose a phrase.
- API Gateway. This tool performs two main tasks: It maintains a complete inventory of all APIs to facilitate troubleshooting and helps you investigate third-party vendors and monitor all APIs for suspicious activity.
- Code scanning and testing tools are tools that help developers discover coding errors and identify and fix vulnerabilities. These tools help protect the software supply chain while code is being written, preventing disasters like the SolarWinds Orion exploit in 2020.
- So-called web application firewalls actually protect all applications from attacks such as SQL injection. Although it typically operates at a higher protocol level, it can also be used to block lower-level network-based attacks such as DDoS or botnets.
But the second challenge is understanding the security culture so that developers can choose the right tools to actually deploy. Commenting on this issue, Jeeva Singh noted in his blog, “You should start small, rather than shopping for everything at once, to avoid overwhelming your engineering firm with a huge list of vulnerabilities.” You need to look at these vulnerabilities to understand and prioritize the data you want to protect. Singh found that many companies choose solutions that don’t fit their business needs. Because it does not utilize tools, it is not integrated into daily processes.
The message Veracode conveys is simple. The idea is to inspect your app frequently, use a variety of techniques to test it, and understand the big picture of how your app is built and modified to make ongoing modifications.
There are several application security products (Barracuda, Imperva, F5, etc.) that combine several categories of what Copen calls traffic processing engines. This integration ultimately helps eliminate the fatigue of tools and alerts that spend a lot of time tracking down false positives. “The biggest challenge is getting overall risk management right,” the CSO said. “We need to simplify our tools and integrate as many tools as possible,” he summarized.
Misuse of Automation
The final problem is that automation is not used often or effectively. Even with the best tools, it can take time for notifications to accumulate and be analyzed. Generative AI helps because it can quickly identify false positives, match alerts that require immediate attention, and provide quick resolutions to enhance security across the enterprise. “The biggest problem with security software, especially protecting websites and APIs, is the prevalence of false positives,” said Venky Sundar, president of Indusface.
Automation is essential to a modern app security environment, especially to help you perform regular penetration and vulnerability testing. This advice is echoed by numerous security experts, including the Open Web Application Security Project (OWASP) and CISA.
“Using AI effectively can help eliminate or minimize false positives and encourage more companies to use WAFs to block false positives,” Sundar said.
AI can also be used to filter and reduce notification fatigue. Security companies are moving quickly, and many tools now have enhanced generative AI capabilities and use machine learning models to discover malware and provide faster responses to identify malicious trends.
Despite these problems, the overall environment shows signs of hope. Veracode said in its report that the rate of the most serious coding defects had been halved compared to 2016. However, serious coding errors still remain, and on average, a typical app has 42 defects per megabyte of code written. This figure is still too high.
“Overall, the situation is improving,” Janka said. “New developers tend to be more security conscious than those who were trained a long time ago.”
editor@itworld.co.kr
Source: www.itworld.co.kr
