After speaking at Qualys’ recent webinar “Aligning Web Application Security with DevOps and IoT Trends,” Forrester’s Amy DeMartine granted us this Q&A, where she revisits and offers keen insights on issues including IoT security challenges and DevOps’ benefits for secure app dev. DeMartine, a Principal Analyst focused on security and risk professionals, also discusses “red teaming” for cloud products, and identifies signs you need a new automated security analysis tool.
First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.
That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”
“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”
The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.
To stay secure, organizations must gain control and visibility over their app landscape
For many years, Jason Kent used a good old-fashioned remote control clicker to open and close his garage door, but the mechanism recently got “appified” so he became curious about its security.
His interest isn’t surprising. After all, Kent is Qualys’ Vice President of Web Application Security, so this topic is near and dear to his heart, and it’s fair to say he knows a thing or two about these matters.
To appease his curiosity, he donned a black hoodie because, as he explained at RSA Conference 2016 Abu Dhabi in mid-November, “you have to look the part when you’re hacking IoT,” and he sat in his driveway to try to break into the app.
“I looked at the communication from my mobile app to my garage door through the cloud. I broke into the communication. I crafted a packet in my laptop. And the door opened,” he said during his presentation titled “Security in the App Era: Building Strength for an Interconnected World.”
There’s one thing that businesses, their customers and cyber criminals have in common: They all love web applications. The reasons for their affection, of course, vary.
Web apps add agility to organizations’ operations such as sales, marketing and customer support, and make business transactions more convenient for customers. Meanwhile, hackers salivate at web apps’ often porous attack surfaces and at their links to backend databases full of confidential information.
With web apps now a key tool for millions of businesses, as well as a major target for criminals, a troubling trend is emerging: The number of successful attacks against them is rising, along with the costs to recover from the resulting data breaches.
As web services power digital transformations in B2B and B2C e-commerce, mobility, IoT and cloud computing, organizations must prioritize web app protection, which infosec teams have historically overlooked.
SQL as a language is vulnerable to injection attacks because it allows mixing of instructions and data, which attackers can conveniently exploit to achieve their nefarious objectives.
The root cause behind successful SQL injection attacks is the execution of user-supplied data as SQL instructions. This classic cartoon illustrates the perils of trusting user inputs, and how they can lead to a successful SQLi attack:
From the webcomic xkcd:
Qualys Web Application Scanning 4.9 has added the capability to run web app vulnerability scans on AJAX applications that use JSON input. Specifically, WAS 4.9 can test for SQL injection (SQLi), local file injection (LFI) and PHP command injection. Many web application scanners are capable of detecting SQL injection, LFI, PHP command injection and other vulnerabilities in web applications that use standard GET/POST requests, but they fail to find the same in applications that use JSON input in POST data. To analyze and detect vulnerability in JSON requests, WAS 4.9 added the capability to execute some AJAX scripts in automatic scanning without manual intervention. This capability relies on the SmartScan feature, which customers need to enable in their subscriptions.
Adopting third-party libraries to encode user input in the development phase and using a web application firewall in the deployment phase could fool web security managers into thinking their web applications are completely safe from Cross-Site Scripting (XSS) attacks. While it’s a good idea to employ these techniques, the illusion of safety could prove costly. These protection methods do not guarantee that your web applications are 100% free of XSS vulnerabilities, and XSS attacks that use more sophisticated techniques still occur, so care should still be taken.