Part 1 in this series looked at Online Security and the flawed protocols it lays upon. Online Security is complex and its underlying fabric was built without security in mind. Here we shall be exploring aspects of Application Security Testing. We live in a world of complicated application architecture compound with poor visibility leaving the door wide open for compromise.
Web Applications Are Complex
The application has transformed from a single server app design to a multi-tiered architecture, which has rather opened the Pandora’s Box. To complicate application security testing further, multiple tiers have both firewalling and load balancing between tiers, implemented with either virtualized or physical appliance.
Containers and microservices introduce an entirely new wave of application complexity. Individual microservices require cross communication, yet potentially located in geographically dispersed data centres.
Web Application Architecture
The web application architecture is broken down into a number of components. We have a front-end web server with a number of back-end tiers, such as a database store. The web application is a complex beast and there are many areas to look after such as session tracking, user’s permissions, application logic and data access. All these challenges are further compounded by the increase in traffic volumes and lack of visibility which has facilitated the grass to grow under our feet.
Rise in Traffic
The amount of network traffic is mushrooming multifold and will continue to mount at an unprecedented level. However, while the level of network traffic soars, the level of visibility into network traffic is decreasing, thereby putting web applications at risk.
One of the most common terms in networking is to “know thy traffic”. However, how do you know the path the application takes over the network? Everything is monitored in silos and teams suffer from alert fatigue. The application and its infrastructure are not tightly coupled, which means troubleshooting a cyber event upon attack leaves many operators on their knees.
You Are Only As Strong As Your Weakest Link
With security, you are only as strong as your weakest link. Nowadays, the applications are multi tiered and may share the same Layer 2 and Layer 3 segment. Layer 2 has limited security such as private VLANs and it’s not always possible to connect over Layer 3.
If the web application architecture is not designed correctly, a front-end web server could share the same segment as an unsecured application server. As a result, a bad actor can compromise the weakest link – the application server and can use that to laterally move throughout the network to gain an even stronger foothold. This is known as beach heading.
Once inside the network, a good adversary can route around detection systems and compromise valuable assets. The only real way to catch them is with another human called the cyber hunter. However, not many organizations have a specialized cyber hunter at hand, so it’s better to safeguard your web applications with appropriate application security testing tools.
Types of Threats
There are a plethora of security threats at all levels of the Open Systems Interconnection (OSI) stack. At Layer 3 we have a variety of controlled plane attacks, routing protocol and transport level attacks. Resource exhaustion comes in many different forms such as transit, direct and reflection attacks. As we know, Layer 2 is brittle and too has a large attack surface, some of which include Spanning-Tree Protocol (STP), media access control address (MAC) spoofing and various content addressable memory (CAM) table overflow attacks.
There is also a large attack surface for applications and many attacks are geared at Layer 7, such as SQL injection, various Cross-Site Scripting (XSS), multiple Distributed Denial of Service Attacks (DDoS) vectors and Cross Site Request Forgery (CSRF) attacks, to name a few. Some of these can bring the application to a halt while the others degrade performance. Therefore, it is essential that all layers must be secured especially when traversing shared mediums. The most important layer is the application layer since this is where the book stops.
The threat to today’s web applications is very real and the tools available to attackers are readily available. It’s a constant cat and mouse game. Administrators must deploy the best technologies available to properly secure applications and the connections to them without jeopardizing operations and network complexity. The first step is to actually be armed with readily available tools for application security testing.
Application Security Testing
The dynamic world we live in, application security testing is a must. It enables the operators to find any security weaknesses or vulnerabilities within an application and surrounding environment. Application security testing should not look at one angle and should compose of a complete list in order to harden itself against the known and unknown attacks. It should lay emphasis from in depth crawls and analysis to perimeter scanning.
The type of application security testing carried out should depend on each organization’s requirement. It could just be for an internal requirement or to meet some kind of regulations such as Health Insurance Portability and Accountability Act (HIPAA). Hardened against data breach is a certainty when it comes to meeting compliance. The major key areas for compliance are to focus on data exfiltration and being proactive about finding ongoing streams of data leaving protected systems to outside of the network.
The headlines are often compiled of botnets carrying out inbound DDoS Terabyte attacks. Recently they have taken off-line some of the most respected networks. There is something about battalions of IoT botnets that surfaces as a catchy headline. However, network downtime in not as bad as a data breach.
Data breaches are often caused from an outbound DDoS (not inbound DDoS) based on malware on an infected host. The ability to scan a network for malware instantaneously is a must not only to prevent data breaches and data exfiltration but also to be that network’s friendly neighbor. Cyber criminals are working together so should we.
A World of False Positives
All the challenges are compounded by the fact that traditional security solutions throw an arsenal of false positives at operations thereby wasting time. The majority of monitoring systems send alerts for literally everything and it’s impossible for the human eye to comprehend.
Many detection systems send alerts for a breach but it gets unnoticed due to the pile of previous alerts stacked up for the operator to analyze. We live in a world of false positives which can cause alert fatigue. So how are we supposed to catch the intruder if we live in a world of false positives? Therefore it’s time to get back to the drawing board and sink our teeth into the application security testing aspect.
Online Security: Application Security Testing