It's Raining Apps

One of the major obstacles to application security is the millions of lines of code that comprise them. It makes reliance on automated tools and secure development practices critical
One of the major obstacles to application security is the millions of lines of code that comprise them. It makes reliance on automated tools and secure development practices critical
Mobile = More Malware? (Source: Ponemon's 'Global Study on Mobility Risks', February 2012)
Mobile = More Malware? (Source: Ponemon's 'Global Study on Mobility Risks', February 2012)

A recent survey of CIOs carried out by Gartner, the industry analysts, put cloud computing and mobile technology in the top three priorities for 2012. With businesses putting more and more emphasis on both flexibility and cost controls, the prominence of these technologies will undoubtedly grow.

But both cloud and mobile computing put some additional and specific pressures on organizations’ information security infrastructure.

Although there are some important architectural differences between cloud applications, which use server resources, and mobile apps, which may run on a low-powered device such as a tablet, both types of applications are being used more frequently outside the organization’s firewall. Both types of application may access and manipulate sensitive data, on devices that have little in the way of conventional security or access controls.

A cloud application might be developed or deployed specifically to allow better access to that data for staff working on the road, or a mobile application might be developed to give remote workers seamless access to cloud-based data. Either way, the consequences of a security breach would be severe.

And it seems that organizations, and IT departments, are on their back foot when it comes to securing both environments. According to the most recent Verizon Data Breach Investigations Report, no more than 4% to 6% of mobile devices have a full set of security measures in place. Another research report, carried out by the Ponemon Institute for Thales, found that 40% of organizations believe their use of the cloud had decreased their security posture; just one in ten believed it had improved it.

“What we’ve found is, from a security perspective, cloud creates a potential dilemma or conflict, because companies want to use cloud for its functionality and convenience. But security is a question mark”, says the institute’s CEO, Larry Ponemon. “Who’s responsible for the data you transfer to the cloud provider? And mobile absolutely adds to the risk.”

Applications, and especially consumer applications, are designed to improve collaboration or document sharing between individuals. This is especially true for mobile devices that come with native ‘apps’ – they only add to the security challenges, Ponemon warns. “They contain a treasure trove of information.”

For IT departments, and CISOs in particular, the trend to move both applications and data outside the conventional firewall risks exposing critical systems and information to new forms of attack and exploitation.
A growing number of modern, off-the-shelf applications are ‘hardened’ to allow their deployment in hosted or cloud environments, but potential vulnerabilities remain. This is especially the case when it comes to access, user control and authentication.

“The key issue we see is authentication, who has access to the application, and who can do what with it, especially fully fledged packages like SAP”, says Adrian Davis, principal research analyst at the Information Security Forum (ISF).

“The second issue is integrity. How do I know that the information going in [to an application] is the information that should be going in? A classic example is a SQL injection attack”, Davis observes. The problem is often made worse, he says, by developers rushing to put an application into a cloud – or into an app store – before it is properly tested. “All too often, speed to market wins over security”, he laments.

Attack the App

On paper, any software application can be vulnerable to a cyber attacker. Today’s programs, whether custom-written or off the shelf, contain millions of lines of code, and their testing is beyond the scope of humans. Developers are forced to rely on automated testing tools and good application authoring practices, in particular secure development lifecycles. But errors can and do occur, as the number of patches – to application code, operating systems, and middleware – demonstrates.

Nor are specific attacks against application code – such as cross-site scripting or SQL injections – the only risks organizations face when they move software outside the firewall. The data itself can be vulnerable to manipulation and exploitation; according to Mark Riley, a security systems expert at PA Consulting, there is a growing demand from some clients for technologies such as XML firewalls, which secure application-to-application communications.

But by far the largest risks are posed not by modern or packaged applications, but by legacy systems and code, which was never written with a view toward running on a remote server, nor to be accessed via a remote or potentially insecure device.

There is yet a further risk for applications that have been developed in house, or even those that have been customized extensively – they may have hidden vulnerabilities. It could be open to exploitation, once IT takes away the protection of the firewall, or when accessed via a device other than a secured end point.

“A lot of applications are 10 to 15 years old and predate when internet security was considered in the application development lifecycle”, says Riley. “Legacy systems may need a firewall in place [to secure them], especially if they were built from scratch.”

Then there are applications which might, in themselves, be secure but are made vulnerable by the way they are deployed outside the corporate IT network.

“You can’t just take an application you’ve developed in house and stick it on the web or on an iPad”, warns the ISF’s Davis. “The way applications are developed means it might not work well in the new environment, or have the wrapper around it for security and resilience that it needs to work in that environment.” An otherwise secure application could be made vulnerable because a ‘fat’ client system, such as a PC, is needed for control.

Mobile Madness?

Mobile devices, in turn, present another risk to IT security, both from applications running locally on the device, and from the way tablets and smart phones are used to access back-office applications – for example, through a browser.

Already, there have been incidents of spyware and malware on mobile devices, especially on the Android platform. With few mobile devices running firewalls or anti-virus, and the potential of data leakage between mobile apps, there is clearly a threat.

“If it is a CEO wanting to look at an SAP forecast on an iPad, someone may attack that device rather than attacking the client application directly”, points out Nick Russell, a member of the CIO advisory team at KPMG. There is also a further risk, from using potentially insecure wireless networks on the road, and from browser-based exploits aimed at harvesting credentials, such as ‘man-in-the-browser’ attacks.

“If it’s a corporate laptop that is itself a secure device, using that with the cloud is different than a user-owned device”, Russell continues. “If the device has questionable security, that opens up a different attack surface than if you had a safe end point.”

Nevertheless, securing both mobile and cloud applications is possible, using similar techniques and tools. Secure development has to be a priority for both environments, as is testing, and ensuring that user and data authentication measures are robust. These tools, though, are not something that all organizations are employing today.

"You really have to write software on the assumption that it is going to be attacked"
Mike Small, KuppingerCole

“Firms may not know how secure their applications are. It depends on the sector”, says Russell. “Some they may do pen testing or security testing, but a large percentage of standard corporates [don’t]. They should, before moving to the cloud.”

CISOs should also carry out a data classification exercise before porting any applications. Some applications will be relatively safe options, because the data they process is not critical or confidential. Others may need much more secure environments, or even be restricted to use within the firewall, at least for now.

A further key measure is user education. When it comes to mobile applications in particular, but also consumer-focused cloud-based applications, users need to know that downloading an application may pose a risk. That can stop short of the risk of downloading a malicious app, although these do exist; a legitimate application could breach data security policies, or offer a back door into business systems, because the cloud or mobile app itself has a flaw.

Above all, however, IT departments need to look again at their software development and testing cycle, and build security in from the outset.

“You really have to write software on the assumption that it is going to be attacked”, says Mike Small of analyst firm KuppingerCole. There are people who find flaws in the way software is written. It’s often a simple, well-known task to break into software.

“A lot of software isn’t written with the assumption that it will be attacked”, Small admits. “And if you expose it, it is more vulnerable outside the firewall.”

What’s hot on Infosecurity Magazine?