My buddy, Jim Broome over at DirectDefense wrote this great blog post, “Security that Works: Even on a Budget.” They have posted two blogs in the series. The first one covers “Hacking Attempts” and the second focuses on “Malware.” I wanted to highlight and comment on the “Hacking Attempts post as it relates to application security.
Security is a complex problem. One that requires the right people, the right technology and the right process. At NT OBJECTives, our focus is on building the most automated and repeatable technology for application and web scanning. This DirectDefense post outlines the process and technologies you can use to address the most common security issues.
Security That Works, Even on a Budget – Part 1 – Hacking Attempts:
There are many reports, presentations and research papers on new types of hacks and breaches. The main two causes of most of these breaches are hacking attempts and malware.
DirectDefense analyzed these reports and leveraged their knowledge from performing penetration tests for more than 15 years to create a list of the common techniques they leverage to break into companies and specific practices you can implement to resolve these types of threats at your organization.
In their consulting work, DirectDefense constantly gains unauthorized access due to the following issues:
- Patching Vulnerabilities (in the OS, database and applications)
- Configuration Vulnerabilities (default settings, default content & misconfiguration)
- Passwords (default passwords or weak passwords)
- Application Vulnerabilities (Injection attacks, like SQL Injection, Command Injection and business logic vulnerabilities)
As DirectDefense accurately points out, none of these vulnerabilities are new. As an industry, we’ve been talking about patch and configuration management, password management, SQL Injection, the OWASP Top 10 and more for more than 10 years. These are the same vulnerabilities popping up in new technologies or attack vectors, just like Where’s Waldo. This is something I have been spending a lot of time researching over the last six months or so. We released a new paper summarizing our research, The Widening Web Application Security Scanner Coverage Gap, recently that outline the latest attack vectors (like mobile back-ends, JSON, AJAX, complex sequences like shopping cart and more) and how you can identify weaknesses in them.
The following high-level approach is outlined in more detail in DirectDefense’s original post.
1. Identify your assets.
- What they are running on
- What type of data they store
- Prioritize based on risk
2. Patch your Systems. Review your patch management strategy and improve it according to the recommendations listed.
3. Learn to Harden Your Systems. Make sure all production applications are configured and hardened after they are in production.
4. Test yourself and fix any problems. Be sure to know where your vulnerabilities are by using network and application scanning tools. There are plenty of inexpensive application scanners and tools, but be sure you know what they find and what they don’t find. Our application security software, NTOSpider, is designed to find the most vulnerabilities possible through automation.
Once you find vulnerabilities, begin remediating them.
5. Repeat the cycle. Security requires continuous attention and re-assessment. We recommend assessing every application quarterly at a minimum.
If you are able to implement the process outlined above with a solid team, the right technology, you will reduce the number of hacking attempts on your applications.