Application security more important than ever

Applications have an increasingly crucial role in our lives, yet they are also a real security threat, with hackers always finding new ways to bypass security defences. Computer Weekly looks at how organisations are responding to the challenge

Software applications play an important role in our lives. Whether it is in the home or workplace, we use them for communicating with people, staying up-to-date with the things happening in the world, keeping entertained, doing work and much more.

As an industry, apps are big money makers. Research from Statista claims the apps market will be worth $189bn by 2020. In 2017, there were 2.8 million apps available in the Google Play Store and 2.2 million in the Apple App Store, but as smartphones, tablets and other connected devices continue to advance and more people buy them, the number of apps will only increase. At the same time, thousands of web applications and sites are created daily.

But while apps continue to deliver benefits, there are also challenges. In particular, connected devices and the software they power have become lucrative targets for hackers.

They are constantly using and existing tactics to access, steal, change and delete personal and business data. According to research from Akamai, the number of application attacks grew by 63% in 2017, while 73% of security incidents flagged by Alert Logic were application breaches.  

To protect users and data, application security has become an important consideration for businesses globally. When it comes to creating and releasing an app, developers must continually monitor, fix and prevent security vulnerabilities.

The most successful techniques work across the entire lifecycle of an application, including design, development, release and upgrade. However, as the internet of things (IoT) ecosystem grows, it is likely these attacks will only grow. Computer Weekly looks at what companies can and should be doing to prevent them.

A security epidemic

Scott Crawford, a security analyst at 451 Research, believes security threats arise because companies are using a diverse range of applications. Often, IT and security teams just do not have the resources or time to identify and respond to attacks.

“Software vulnerabilities remain one of the primary exposures of IT to threats – and are among the most challenging problems for organisations to tackle successfully, at multiple levels. Part of the issue is that the challenge is spread across multiple domains including Cots [commercial off-the-shelf] products, bespoke applications and systems, and embedded software,” he says.

Software in each such domain may have multiple moving parts, notes Crawford. “Endpoint components as well as server-side and back-end functionality, and not infrequently logic in between, as with edge computing in IoT, for example.

“Cots suppliers have come a long way in addressing vulnerabilities in their products, but the deployment of updates often faces many hurdles in organisations. To say ‘just patch it’ reveals a profound lack of understanding of those challenges,” he says.

“Bespoke applications, meanwhile, are undergoing radical change as organisations move from traditional ‘waterfall’ approaches to development toward the more agile techniques of DevOps.”

“Software embedded in other technologies now includes multiple systems encountered in the physical realm, from sophisticated healthcare systems and industrial controls to cars, homes and everyday objects. The logic embedded in these systems may be difficult to protect, let alone update – and technology turnover may take years. Businesses must today for the security not just of tomorrow, but for several years that may be – quite literally – down the road.”

Fostering security by design

Lev Lesokhin, senior vice-president of strategy and analytics at software intelligence firm CAST, says that many application vulnerabilities are caused by architectural design flaws and that developers need to weave security techniques into the code of their apps.

“As automation and smart software become an increasingly large part of IT systems across several industries, the way these machines are programmed needs to be carefully analysed,” he says.

“If developers do not pay attention to the code they write for these systems, the effects could be far-reaching. A chatbot that is not responsive and intuitive is useless. Code added to artificial Intelligence may have the prejudice of its developers. The risks are endless.”

Security is an essential requirement for any type of digital business, says Lesokhin. “In a sense, it’s a hygiene factor. It must be present, although it seldom contributes directly to the primary business functionality of the system. However, poorly-chosen security approaches can certainly impede usability and efficiency.

“An organisation's overall approach to security (involving culture, technology and processes) can have a major impact on its agility and, hence, ability to innovate in digital business. The best security organisations see their job as making innovation safe – an attitude that is very supportive of digital business initiatives.”

Read more about application security

David Smith, chief information security officer at forensic data software firm Nuix, says many hackers are tapping into existing techniques to compromise badly designed applications.

“We are still seeing a lot of the same techniques to hack applications as we have previously seen,” he says. “For example, buffer overflows, along with poor coding still remain two of the biggest application security issues. In addition, we have found many organisations are still not applying encryption very well.

“The US has a governmental standard for encryption, which ensures the encryption is being put in place correctly,” says Smith. “Many are not applying this properly, which results in applications with flawed security.”

Another technique commonly used by hackers trying to get around application security is called fuzzing. “Its power is in its simplicity,” says Smith.

“Any time there is an opportunity to enter information, hackers will try entering non-expected information to find a loophole. For example, if a field is asking you for a UK postal code, hackers may try entering more characters than what is expected, and if the program is coded poorly, it may let them in. This works more often than you may think.”

application security threats

Alex Ayers, head of application security, Tax & Accounting, Wolters Kluwer UK, says the rise of technologies such as artificial intelligence (AI) and the internet of things (IoT) will application security threats.

“While many application security failures are due to well-known threats, there are always attack vectors or ways of using known exploits,” he says. “The commoditisation of AI, machine learning and hacking as a service [HaaS] greatly increases the risk to running applications with easily discoverable and well-known vulnerabilities. The ongoing inability to bring cyber criminals to justice does nothing to deter increasingly sophisticated attacks, potentially bolstered by the availability of sophisticated tools developed by government agencies.”

However, while there are plenty of ways companies and IT managers can prevent such threats, Ayers believes that they need to be underpinned by strong industry standards and investment.

“Technology is evolving along with the threat landscape,” he says. “Firewalling technology is advancing and can provide the ability to rapidly mitigate new threats. Tools to protect applications at runtime are becoming more popular and development frameworks, such as Angular, are building in protection against common vulnerability classes.”

But Ayers cautions that tooling is of limited use without the standards, policy and practices to ensure that it is being used effectively. “Projects such as such as OWASP SAMM and BSIMM enable organisations to consistently and reliably measure and improve the security of their software,” he says. “It is not for want of information, tools or techniques that applications are vulnerable to long-term and upcoming threats.”

Combating threats is less a technical challenge than a management one, according to Ayers. “It is easy for organisations to talk good security, but the resilience of applications will always significantly lag threats unless there is investment in implementing processes for measuring, improving and embedding security within the development pipeline.”

Recovery plans

Omid Shiraji, chief information officer of Camden Council, agrees that application security threats are always evolving. He believes that companies and technology teams should develop and implement sophisticated recovery plans to respond to hack attempts.

“We see the current threat vectors evolving so fast and malware becoming increasingly complex,” he says. “In a world where your fridge or lightbulb may be a method of attack, you’ll never be able to build a wall high enough to keep the bad guys out. The investment for UK organisations should be on recovery rather than protection.”

Educating UK boardrooms about the complexity of modern day threats, pragmatically and without scaremongering, is a key role for the technology and data leader, says Shiraji. “More chief information and chief data officers sitting on boards will help keep cyber awareness as a key organisational priority and protect and strengthen an organisation's reputation.”

Cyber criminals are continually coming up with new ways to compromise application infrastructure. Mark Hill, chief information officer at Frank Recruitment Group, says firms should be aware of fraud and hack attempts targeting employees.

“The threat from cyber crime is growing and the perpetrators are no longer using basic ‘spray and prey’ techniques. The lack of inter-government cooperation, and the belief that cyber crime is without risk, is simply fuelling this trend,” he says.

“Frank Recruitment Group takes the emerging security threats very seriously. We strive to continuously improve all of the defences and application defences to protect our both our company and our customers’ data. The key threat we see today is in the extensive and targeted use of confidence scams, which tries to tricks unwitting employees into handing over some form of data or access to systems.”

Digital transformation

To identify and respond to threats, the recruitment firm has undergone a digital transformation drive. “We work closely with our staff to continually raise the awareness of security threats,” he says.

“We only work with Tier-1 cloud applications providers with multi-factor authentication mechanisms, who themselves invest very heavily in security, to a level much more than we could ever realistically afford to do, much the same as any sensible mid-sized business.”

Clearly, the number of applications used by the general public and business world is not going to stop growing anytime soon. But the same thing could be said for hack attempts.

Although hackers are still using existing methods to gain access to applications and steal data, they are also generating new ways to stay under the radar and bypass security systems. Because of this, firms and IT managers need to take proactive and consistent measures to prevent and minimise damage.

Read more on Application security and coding requirements