To stay secure, organizations must gain control and visibility over their app landscape
For many years, Jason Kent used a good old-fashioned remote control clicker to open and close his garage door, but the mechanism recently got “appified” so he became curious about its security.
His interest isn’t surprising. After all, Kent is Qualys’ Vice President of Web Application Security, so this topic is near and dear to his heart, and it’s fair to say he knows a thing or two about these matters.
To appease his curiosity, he donned a black hoodie because, as he explained at RSA Conference 2016 Abu Dhabi in mid-November, “you have to look the part when you’re hacking IoT,” and he sat in his driveway to try to break into the app.
“I looked at the communication from my mobile app to my garage door through the cloud. I broke into the communication. I crafted a packet in my laptop. And the door opened,” he said during his presentation titled “Security in the App Era: Building Strength for an Interconnected World.”
But is this example of a brittle consumer app relevant and applicable to the enterprise? Yes, says Kent, noting that consumer apps heavily influence the development of enterprise apps these days.
Enterprises Can’t Get Enough of Apps
Enterprises are building and acquiring web and mobile apps and web services left and right for many operations and functions — order management, payments, human resources, inventory control — because they make life easier, simpler and more convenient for employees and customers, which in turn boosts business.
However, in their rush to “appify” their businesses, many organizations are failing to rigorously examine how secure these apps are, even though they often have multiple links to critical back-end systems.
“What are we doing inside of these apps? Where are the problems in them?” Kent asks. “There’s a tremendous amount of interconnectedness (in them) to make this all work.”
If there are vulnerabilities and holes in those multiple points of connection, the potential for security problems — data breaches, brand damage, regulatory fines — becomes significant.
“We have to remember that with all of this promise comes a tremendous amount of opportunity for peril,” he says.
“We have to understand where the problems might lie,” he adds.
The Road to Hell is Paved with … Insecure Apps
What does an application security failure look like in the real world? Kent offered this example of which he’s got first-hand knowledge.
A large bank wanted to increase participation in its proxy voting, so they hired a contractor to build a mobile app that would conveniently allow shareholders to participate in the corporate election.
However, the bank didn’t give the contractor specific security requirements for the app, other than to make sure it had a sign in gate.
The contractor downloaded a common authentication library from the Internet and plopped it in the app, which the bank then promptly distributed to its entire investor base.
“But the authentication library contained a tiny flaw: It grabbed all of the contacts on users’ phones and shipped them off to a server in China,” Kent says.
Only when scammers started flooding the shareholders with phishing attacks did the bank become aware of the problem.
Red-faced, the bank had to notify all voters about the situation, apologize and acknowledge it had mishandled the app development project.
What To Do? See, Assess and Remediate
Before the advent of mobile and cloud computing, software applications had simpler and more linear trust patterns, so securing them was easier. However, today’s apps are thoroughly interconnected with other apps, web services and back-end systems via APIs and custom integrations, making it complicated to assess their security gaps and weak links.
“We need to come up with a way to easily manage application security,” Kent says.
The first step towards achieving that goal is to have full and clear visibility into the organization’s applications. With a comprehensive and continuously updated app inventory, organizations are then in a position to control and manage their security. For example, when a bug in a popular open source component is announced, an organization that has an app inventory will know where it needs to patch it.
“I’ve walked into I don’t know how many organizations and asked them how many apps they have and they usually say, ‘I’m not sure. I know we’ve got these two we really care about and then there’s probably 800 more,’” Kent says.
In fact, he’s worked with large banks that have more than 10,000 apps but no inventory control.
The second step towards app security control is assessment and testing with a broad scope. This means going beyond pen testing and encompassing the entire technology base involved, including developers’ awareness and knowledge of secure app creation.
“I’ve polled probably 4,000 or 5,000 developers in my time and I’ve spoken with three who’ve gone to security training,” Kent says. “This is a huge problem.”
Finally comes the actual fixing of problems. For proper remediation, organizations need to prioritize not just the most important “crown jewels,” but also commonly-used, simple pieces of code that may be part of many apps and thus present a big threat if found to be vulnerable.
Ultimately, the goal is to make organizations safe and efficient. “We’re trying to create an environment where the promise of the app era is realized and the peril is diminished,” Kent says.
And the first step towards solid app security is to be curious.
“I’m a curious person. I invite you to be curious as well,” Kent says. “Take things apart. Look for the problems. Quest for the solutions.”