Application Security

Up until about 10 years ago, application security wasn’t a big deal. There were fewer exploits for application code flaws, and there was more pressure on functionality than security. The problem is that it has only become a problem in the last few years, and, in the grand scheme of things, that isn’t much time to change development patterns. Some basic issues like making sure lengths are controlled to prevent buffer overflows, validating the data type, and ensuring the data format need to become an integral part of best programming practice, but this still isn’t the case unfortunately. Often time, vendors have a hard time balancing user friendliness with function and security and, because of this, security suffers.

Many applications today deal with the Web. Because of this recent development, many new threats have arisen. Vandalism is a hack that usually involves replacing graphics and titles on a web site with modified ones made by the attacker. Financial fraud becomes more common every day due to the ever increasing number of financial transactions taking place over networks. A large reason for this fraud is the anonymity the internet provides users, which allows them to easily justify or reason away any guilt. Unauthorized users gaining privileged access is a big problem. If this ever happens, the system can no longer be trusted as files, log info, and privilege rights could have all been tampered with. Theft of information is a big problem now as entrance into a system generally puts hackers very close to very sensitive information.

Security measures are constantly being developed to attempt to combat these issues. Aside from the measures we have already discussed such as firewalls and intrusion detection systems (IDSs), there are a few other measures that can help with application security. Web app firewalls perform deep packet inspections, as opposed to the normal firewalls. Intrusion prevention systems can actually prevent attacks it identifies, unlike the IDSs, which can only detect. A good way to prevent DoS attacks is to use SYN proxies on the firewall by starting to drop old requests that haven’t validated once the request count reaches a certain limit.

These last two paragraphs will deal with some specific threats to web environments and some malicious software that applications can be affected by. Information gathering allows hackers to gather information through programming comments in the source code or information returned in search results. Companies want as little information to be public as possible, to prevent hackers from gaining any information that could be harmful to the company. Admin interfaces can be a potential issue. Many administrators like to have the “work from home” option. The problem is that it opens up a possible entry point for attackers. If the company decides this is an acceptable risk, under no conditions should the admin hard code their credentials into the login page or select password remembering options. Authentication and access control issues include brute force attacks on login pages. Using lockout methods can be good, but can also lead to denial of service attacks to multiple users. Https is a good way of preventing attackers from sniffing out usernames and passwords. Configuration management is important because many times the system is tested without the baseline security levels that would be needed in a production environment. Also when many applications are implemented, they still have the default admin accounts and passwords, which are known to the hacker community, active. These need to be configured before the application is fully implemented. Input needs to be validated as previously mentioned, as well as parameters, which exist as an environmental variable. With regards to session management, and just as a general rule of thumb, never send anything as clear text. If an attacker can get their hands on a session ID, either by manipulation or guessing, they then have access to that session and can perform many malicious acts.

Malicious software (Malware) is just any software that is intended to perform some harmful or undesired action by the host application or user. By this point in their use, most people are aware of most of these issues, but this paragraph will provide a brief overview of some of the differences in the names you might hear. Viruses are small applications or strings of code that infect applications. They rely on host applications to reproduce by performing some action, such as opening an attachment. Botnets are networks that utilize thousands of systems with a type of zombie code, which can be utilized by an attacker at any time. Attackers like this system because it gives them a great deal of power along with the ability to generally remain anonymous. Worms are like viruses except they are self propagating and do not need to user to perform any action other than giving it an entrance into the system. Logic bombs are malicious software, which are set to execute when a certain event happens or a date and time arrive. The Trojan horse has become very well known in the last few years. It generally acts as a legitimate program or at least has the name of a legitimate program, all while performing some sort of malicious activity in the background. These are the major forms of malicious software that are out right now, but like everything else in the technology world, new forms and functions are being created all the time.