Application Security – are we really secure?

Everything you need to know about our Company

Application Security – are we really secure?

Security - Protected or Trapped?

Some might say that the digital revolution over the past 2 decades has taken us by surprise. The speed and almost self development of the Internet of Things (IoT) has lead to an incredible if not worrying level of dependency on applications for personal and business use. The fact that almost every aspect of our lives is now digital means we are more vulnerable to attack than ever.

Applications are everywhere. Literally everywhere.

Every program we use at work, app on our phone or online service we use for personal or business purposes requires some level of security.

Take mobile applications for example. As time goes on, their open platform functionality coupled with the flexibility in what can be installed or removed has no limits. The frqeuency of attacks has increased over the last decade with corporate and user data at most risk. The likelihood of an attack has increased due to how valuable data has become.

Unrestricted access to mobile resources and API’s by unknown apps from untrusted origins is on the rise. Now more than ever, application security has become a vital aspect of application development and deployment. The underlying question we’ve all asked ourselves when we hear about  cyberattacks happening – are companies and developers willing to increase their security budgets? If so, can they deter attacks without risking user experience?

The illusion of security

In 1980’s Eastern Communist Germany, every personal typewriter owned by an individual or company had to be registered. A sample piece of literature had to be created and submitted to the authorities in order to monitor who wrote what. Some might say this was done to keep an eye on propaganda being written to stave off any potential revolt.

Others say this was done to ensure the authenticity of their identity and protection of ones literature whether it be personal or business. No one could impersonate you to steal from you or others without repercussions.

What do you think? Keeping the bad guys out who want to steal your information and get up to no good or keeping you trapped in using the illusion of security to obtain and use your data as a weapon or currency?

Whether your focus is web or software, application development has a number of fundamental stages. SDLC’s (System Development Life Cycle) will vary slightly from project to project but some of the essentials such as the design, development and testing phases (amongst others) will remain. That cannot be said for the security testing of the application. This will vary tremendously from project to project depending on budgets and developer resources and skills.

An average program has over 500,000 lines of code. Testing how secure your application is depends on how capable your development team are in coding and taking every risk into consideration meaning running security tests throughout every phase of your development. This can be easier said than done for most.

Running security reviews throughout your development is essential to ensuring your tool is ready for use. Whitebox, Blackbox, design reviews are all recommended but are they enough?

Vulnerability scanners/penetration tools are strong prevention measures if coupled with the above. Having developers intentionally (and ethically) attempt to hack your application will test your security in a dynamic and effective way. What if a new threat came along that could override and overpower any security you might have?

Protecting ourselves, those closest to us and our possessions is natural. We install the strongest locks on our doors at home, the strongest windows we can afford and the highest quality CCTV on our premises. But what if the conventional routes of intrusion and attack were no longer the attackers preferred path? What if they decided to try entering through the floor digging their way in? Try their luck at the roof. In order to protect every possible vulnerability, we must first think like an attacker. If all traditional routes of entry are protected, how else could I infect and penetrate this property’s security? Flooding part of the property via the plumbing forcing a temporary lapse in security to allow access for a plumber to fix the issue? Maybe trying the electricity lines to tamper with the electricity? Why not take a bulldozer and drive through one of the walls? Sometimes the most simple forms of attack are overlooked.

Conventional methods of application security may be working the majority of the time now but what happens in the future? Should we be waiting for a successful attack to happen comprising company and client data in order to analyze what went wrong? We cannot prevent what has already happened but we can be prepared for what might be.

Imagine application security that was dynamic and would use attack as a first line of defense.

Are we entering a time where A.I. (Artificial Intelligence) will be a standard form of application security? What if our A.I. security could be manipulated?

What next?

Data is power.

The information you insert into our applications is worth your weight in gold. Your life savings are hidden behind a 10 digit password online which can be hacked with a decent piece of software. Should you forget this, you’ll be asked a series of stand security questions to retrieve this online:

  1. What is the name of your pet?
  2. What was the name of your high school?
  3. Where were you born?

A few minutes snooping around your social media can provide a cyber criminal with all the information they need to retrieve your login credentials and empty your accounts.

Better yet, your bank accounts are protected by a 4 digit code which can be memorized by an eagle eye passer by when using an ATM and your bank card stolen from your wallet during a momentary lapse of vigilance out in public.

Are our current security measures for the fundamental applications we use on a daily basis really enough? Should we be looking into stronger measures? Could using biometrics over passwords and retina scanners in public be the next step?

No one person, organization or government is immune to attack. The fact that we are online and using applications on a daily basis means we are all always at risk.

Some industries have been leading the way in terms of application security such as the financial sector. The risks of a successful attack far outweigh the level of investment in security and precaution. Financial institutions are known to invest heavily in security at all levels.

Losing data means losing money.

Losing money means losing power.

The healthcare industry has been slower to react to the rising threats of cyber attack. With already limited budgets for patient wellbeing and healthcare globally, investment in cybersecurity has not been sufficient enough to stave off attacks. Take the recent global ransomware attack which claimed the NHS in the UK as its highest profile victims. Questions were asked of how secure their infrastructure was after tens of thousands of computer’s access were blocked, operations being cancelled and patient records made unavailable.

Such software being used in a global attack as mentioned above had been stolen from the National Security Agency (NSA) in the US.

Elephant in the room time…

Why has protection against this level of technology and cyber attack not been provided to the general public or at least government entities such as the health services?

The software used in the attack exploited vulnerabilities Windows systems. Microsoft released a software patch shortly after which solved the problem. It was as simple as that. Why haven’t global security authorities been working with software developers to ensure the public’s data and livelihoods stay safe? Would this partnership impact the equilibrium of good vs evil resulting in lower profits for software companies hired to fix these issues?

Cybercriminals hacking for personal gain (usually financial), hacktavists attacking to spread a message or governments attacking other nations to gather information and spy – It’s happening all around us by those we least expect.

The majority of us have all fallen victim to some form of attack through a weakness exploited in the security of the applications we rely on. Maybe the level of which we rely on these applications and the amount of sensitive data we insert has caused this rise in attacks over the past 2 decades.

Everything we now do is online and done through an application. Are we to blame for attracting such high levels of cybercrime?

What ever happens, we can be sure to see significant developments in how we use applications and the security behind them over the coming years.

What are your thoughts on what was, what’s happening and what could be?

Share this Post: