Hacking To Build Secure Apps
If recent headlines aren’t enough to convince you as to the importance of security, consider how much time and money your company will spend in response to a data breach, and the damage it will cause to your company’s brand and reputation. Some larger companies have spent over a billion dollars recovering from a hack that only lasted a few minutes. Chances are pretty good that your company does a significant amount of business on the web. And it is critical that your web applications are written to defend against amateur and professional hackers. Anyone in the world, with an internet connection and a little bit of knowledge, can bring your business to its knees in a matter of minutes and impact your company for years to come. And in many cases, the code you write will be the last line of defense in protecting your company from devastating loses.
We Have a Problem
According to the Verizon 2015 Data Breach Investigations Report, 99.9% of the exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) were published. This suggests that nearly every website on the internet is susceptible to known vulnerabilities. Fact is, anyone can go out to a number of websites, such as cve.mitre.org, and browse a vast, public list of known vulnerabilities across a variety of servers, operating systems, and platforms. Other websites, such as shodan.io, will show you specifically which systems, websites, and even Internet of Things (IoT) devices that are susceptible to these security gaps. If you don’t fully understand how hackers can easily discover and gain access to your applications, web services, and databases, you will not be able to effectively defend against them.
It Takes a Hacker to Beat a Hacker
So where do you start to defend your applications from malicious attacks? You start by becoming a hacker. No… you should not tune your hacking skills by breaking into corporate or government systems, but you need to know how to do it. As a software developer, you should have the skills of a hacker. The only way to defend your software from malicious hackers is by knowing exactly how they bypass various security measures. You need to know how hackers perform reconnaissance, how they find vulnerabilities in different systems, and how they exploit those weaknesses. If you don’t know how hackers do it, you will never be able to defend against cyber attacks.
Effective security does not happen by accident. And don’t be naïve to think that security is included in your platform or framework. Security must be a requirement, you must design for it, you must implement it, and you must validate it. It is a cross-cutting concern that must be pursued throughout the entire software development lifecycle. And if you’re doing Agile development, security requirements should be part of your default acceptance criteria for every user story.
There are common methods that make it quite easy to manipulate web applications as channels to data breaches or Denial of Service (DoS) attacks. Session hijacking, SQL Injection attacks, and Cross Site Scripting (XSS) attacks are relatively quick and easy to perform. These attacks can be initiated by manipulating URLs (including query strings and routes), response headers (including cookies), response bodies, HTTP verbs, and third-party web services. These are all sources of untrusted data and should always be treated as such. Data and source validation should always be performed to intercept malicious attacks.
While many organizations focus their security on servers and applications, web services often get over looked. As the number of mobile applications grows at a phenomenal rate, web services are growing even faster. Web APIs provide a great way to deliver data and functionality to desktop and web applications, mobile apps, embedded systems, and IoT devices. Many organizations think, because APIs are “hidden” from the user, especially on mobile apps or IoT devices, security is not as important; or perhaps not needed at all.
The fact is that Application Programming Interfaces (APIs) are very easy to discover and the traffic (data) to and from these APIs is also quite easy to capture, especially for mobile apps. Someone with a little bit of knowledge, a laptop, and a Wi-Fi connection to the internet can setup an HTTP proxy in less than a minute to intercept all traffic (including data) going in and out of any web app running on iOS, Android, or Windows. And for IoT devices, such as refrigerators, bathroom scales, thermostats, door locks, and even automobiles, it’s as easy as establishing a Man in The Middle (MITM) Attack using, for example, ARP Poisoning to intercept the traffic going between an IoT device and the internet. And once these APIs are discovered, they can often be used to manipulate these devices to do things the hacker wants them to do (such as unlock a door to a car or a house).
Never assume that APIs cannot be discovered. It’s actually quite easy. And never send more data through an API than what is needed. One small piece of data may not seem like a security risk, but when you combine it with other vulnerabilities, it may be just enough to launch an attack. Besides, the less data you send, the more bandwidth you’ll save on your network, and on the user’s network.
Most people (companies and organizations) don’t give security much thought until they become a victim. If they understood how easy it is to compromise a software system and the impact it could have on the company’s bank account, brand, and reputation, I guarantee they would give it much more attention than they do. Having worked at a variety of large and small companies, I have noticed that technology companies understand this risk better than most. As a Security Champion at Intel, I led efforts to ensure that their products are developed from the ground up with security in mind. This is a strategy that all companies should follow to help mitigate the risk of cyber attacks and tactics that you should follow as a software developer.