By Byron V. Acohido
As sure as the sun will rise in the morning, hackers will poke and prod at the web applications companies rely on – and find fresh weaknesses they can exploit.
Related: Cyber spies feast on government shutdown
Companies are scaling up their use of web apps as they strive to integrate digital technology into every aspect of daily business operation. As this ‘digital transformation’ of commerce accelerates, the attack surface available to threat actors likewise is expanding.
I had a lively discussion recently with a couple of experts from WhiteHat Security. The San Jose, CA-based security vendor has been helping companies protect their web applications since the company was founded in 2001 by world-renowned ethical hacker Jeremiah Grossman, who also happens to be a black belt in Brazilian Jiu-Jitsu, as well as a native of my home state, Hawaii.
I spoke with WhiteHat Security researchers Bryan Becker and Mark Rogan at RSA 2019. They supplied clarifying context as to why web application vulnerabilities continue bedevil companies of all sizes and in all sectors. For a full drill down, give a listen to the accompanying podcast. Key takeaways:
Myriad vault doors
Thanks to digital transformation, the attack surface available to threat actors, via web interfaces, is larger than many companies realize – and this exposure continues to steadily expand.
“Moving to the cloud, terms like agile development and container-based infrastructure — all of these are different ways to break a large process down into many smaller components which is easier for a management team and a development team to manage and to update quicker,” said Becker.
But what happens is that instead of having one giant application, you end up with a hundred mini applications, and in the long run, that means it is harder to monitor for vulnerabilities in the code.
“A bank has to protect one attack surface: the vault door,” Becker said. “If you’re a company using hundreds of applications, every one of them has their own vault door, or multiple vault doors.”
Many web app vulnerabilities are unique to an organization because the application is built in-house, and developers aren’t always aware of the security vulnerabilities that could be maliciously exploited. Another issue is that developers are increasingly using open source code with complex dependencies that make it difficult to track what code is used where and written by who.
Spreading exposures
For example, last year, a vulnerability in the open source jQuery File Upload plugin was discovered. This widely-used open-source plugin is written in java script and allows files, such as a document or an image, to be neatly uploaded to a website. It has been embedded in countless web applications – with a dangerous flaw lurking within.
“This jQuery vulnerability has been known to the black hat community since about 2015. So, it’s been out there for the bad guys for years,” Becker told me. “For the good guys, this just came on our radar last year. Who knows how many more things like this are out there?”
The jQuery vulnerability illustrates an important point. Flaws in popular plugins, like jQuery File Upload, spread exposures far and wide – to any website using the exploitable plug-in. And the same holds true for other mix-and-match software components, such as microservices and software containers. Many of the developers innovating are focused on delivering cool new functionalities, and not necessarily security.
“Your software library might not depend on this (jQuery) library, but you might use some other third-party library, and that library depends on the vulnerable library,” Becker explained. “So you might not even be aware that this piece of code is in your software.”
Baking-in security
As application security vendors, like WhiteHat Security, help companies find and mitigate metastasizing coding flaws, there is, thankfully, a push in the cybersecurity community to address this problem at the front end, when software is being developed. It’s referred to as SecOps or DevSecOps.
“All of these vulnerabilities are dependent on the coding practicing that were initially used,” Rogan pointed out.
It is vital for companies to start thinking about baking-in a level of security that will ensure the trustworthiness of everyone involved in the supply chain, Rogan told me.
“Companies need to make sure their integrity remains intact,” Rogan said. “To do that, they need to be sure security is applied through their processes, be that with DevSecOps, or be that using services such as ours, to come check for vulnerabilities and ensuring that those vulnerabilities are mitigated within a reasonable time period.”
WhiteHat Security continues to innovate. DevSecOps is a nascent discipline. It’s going to be interesting to see how forthrightly the business community moves to balance the velocity and scalability promised by digital transformation with the necessary dosage of baked-in security. Talk again soon.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(Last Watchdog’s Sue Poremba contributing.)
