NEW TECH: WhiteHat Security tackles ‘dangling buckets,’ other new web app exposures

By Byron V. Acohido

WhiteHat Security got its start some 17 years ago in Silicon Valley to help companies defend their public-facing websites from SQL injection and cross-site scripting hacks.

Related: Mobile apps are full of vulnerabilites

Both hacking methods remain a problem today. Yet organizations have many more application security headaches to resolve these days. As companies integrate digital technology into every aspect of their daily business operation, WhiteHat has seen strong demand for its innovative cloud-based application security platform.

I caught up with Bryan Becker, WhiteHat Security product manager, at the RSA 2020 Conference in San Francisco recently. In a wide-ranging discussion, we examined how local governments have become prime targets of ransomware purveyors, and why APIs translate into a vast new attack surface. For a full drill down please give the accompanying podcast a listen. A few key takeaways:

Targeting local government

For decades, nation-state attacks have caused serious havoc across the world, primarily targeting critical infrastructure such as power grids and industrial control systems, as well as government agencies, often disrupting operations and leaking sensitive information. Russia’s multiple take downs of Ukraine’s power grid and Chinese plundering of the U.S. Office of Personnel Management are two prime examples.

In the past several years however, state governments and municipalities that have come under withering ransomware attacks. What’s more, election tampering at the local level has become an established component of national elections.

This is most definitely playing out among regional and local government agencies, which feel compelled to tap into new web and mobile apps to deliver services, to save money as well as meet the expectations of the public. Yet, funding is often the biggest issue for local governments trying to scale their security testing. “They don’t necessarily have the budget for a security team to scan their applications,” Becker points out.

The result: many local entities are only beginning to realize their susceptibility to cyberattacks, particularly ransomware attacks. An increasing number of municipalities are paying significant sums to free up IT and connections locked up by ransomware. This is because they lack the infrastructure to start over or respond to the attack themselves.

‘Dangling buckets’

Defending networks has never been more complicated. Digital transformation has led to a proliferation in cloud usage, mobile devices, and apps, so organizations face huge challenges trying to keep hundreds (or even thousands) of applications secure. Furthermore, modern micro architectures and new cloud platforms mean that single applications are broken up into micro services that all need their own security scanning and testing.

Companies are enthralled with agile software development; but the process of producing new apps —  by rapidly combining snippets of code in software containers circulating in the cloud also  introduces fresh vulnerabilities at a scaled-up pace, as well.

As Becker explains: “Ultimately, we are creating new applications faster than we’re fixing vulnerabilities on the old ones.”

Despite the new cyber threats facing organizations of all sizes and in all sectors, some of the biggest risks come from vulnerabilities that have been around for many years. Cross-site scripting (XSS), in which attackers inject malicious script into trusted website pages, has been around for decades, but it is still considered a significant threat.

A more modern problem is “dangling buckets.” This is the term Becker uses to describe data that may have been used by an application once, but the relevant container has never been taken down. The name derives from Amazon S3 data storage buckets. However, it also applies to similar cloud storage services from Microsoft Azure and Google Cloud – and even to proprietary storage services. Companies have gotten into the habit, he says, of buying storage capacity and failing to keep track of everything that gets stored.

The growth of agile development means organizations are using cloud services not just for storage, but also for everyday software development, using cloud-enabled software containers and modular microservices. Yet the onus is on the subscribing company — to configure each  cloud tool and service with security in mind.

New rules

There are new rules to the game, when it comes to security of cloud services, as established by the top cloud services vendors, namely  Amazon, Google and Microsoft. The Big Three espouse the concept of “shared responsibility,” which means the cloud provider has a specific set of responsibilities, namely assuring the viability and security of the underlying cloud infrastructure. Meanwhile, the responsibility for configuring each service security lies with the subscribing organization.

One big area where this shared responsibility model is being put to the test, is with APIs, application programing interfaces. APIs connect each microservice to each container, and each mobile app to the underlying server. As a general practice, APIs are left wide open, to make them more flexible and agile. But that means threat actors can easily manipulate them.

WhiteHat is innovating in the emerging area of securing APIs. It is in the beta stages of developing a product that scans APIs for vulnerabilities. It has discovered that many organizations are not properly testing their APIs because they are either not sure how to do it or it’s too much work. As Becker explains, “theoretically, the same set of vulnerabilities that you find in application security for websites, for the most part, would also exist for an API.”

An attacker might be able to target a vulnerability directly on your API. Dangling data storage buckets may be among those vulnerabilities — APIs come into play there, as well.

It’s common practice to use APIs to shield-off storage buckets, but rigorous authentication is often lacking, and getting to the data stored in the bucket often is an easy hack. Just ask Paige Thompson, the 33-year-old former Amazon software engineer charged with accessing an overlooked Capital One AWS S3 bucket to pilfer sensitive data for 100 million US and 6 million Canadian bank patrons.

Becker believes scanning will play a significant role in the future of application security: “I really do think we’re going to start to see a trend of more scanning in the DevOps life cycle.”

Last Watchdog’s Melanie Grano contributing.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone