Web and Mobile Applications Bring a Heightened Need for Security Measures
By Thayer Tate
In a world where online applications are an indelible part of software development, cybersecurity risks are a given. And if a breach sidelines your company, you lose time and resources as you right the issue.
Recent Check Point Research numbers reflect a 50% global rise in weekly cyberattacks on corporate networks from second quarter 2020 to fourth quarter 2021. And, according to IBM’s annual 2022 Cost of Data Breach Report, of the 550 organizations researchers interviewed, 83% had experienced more than one data breach with 60% of these instances resulting in price increases that organizations then shifted to customers. In 2022, according to the IBM report, the average data breach cost for critical infrastructure organizations, including those in the technology sector, was $4.82 million.
Comprehensively engaged security automation and AI saved organizations significant money, however. IBM’s report holds that in the face of data breaches, organizations saw average savings of $3.05 million over entities without similar protections in place. As the old saying goes “an ounce of prevention is worth a pound of cure.” And nowhere is that simple wisdom more applicable than the process of fortifying applications against future susceptibility. Below are the most common types of applications enterprises create today, along with some of the most common attack vectors they experience.
Web Application Vulnerabilities
Publishing any external-facing web application with internet accessibility will create opportunities for cyber attacks. Many organizations have come to rely on such applications to run day-to-day business with two of the most common being:
- Customer-facing websites like ecommerce sites where users can shop through a product catalog and place orders for delivery to their homes: These sites display real-time availability of products, and they allow instant payment transactions with users’ credit cards resulting in inventory decrements based on closed orders.
- Internal-facing business applications, such as order fulfillment systems, which receive orders sold through retail locations, websites or call centers: Internal employees use these applications to check inventory and enter orders in a process that extends through shipping, along with printing of packing slips and scanning of the product onto delivery trucks.
When building and deploying a web application, it’s important to consider application security and evaluate any vulnerabilities your internal data and operations may be exposed to. Below are some common attack vectors hackers may use to infiltrate a web application:
- Sniffing data as it travels between users’ browsers and the web server.
- Identifying API calls between browser and server and then using those calls to programmatically steal data in volume.
- Server attacks through open/unprotected server ports on the web server.
- Repetitive, programmatic attacks to test possible passwords for a target user account.
- Denial of service attacks overload a server and cause disruptions — these attacks sometimes come with other data hacks to hide or prolong access to a server.
- Backdoor attacks through operating system or infrastructure vulnerabilities.
Execution of script or SQL statements through application forms when not protected from injection attacks.
Mobile Application Vulnerabilities
Applications built for mobile platforms may also have vulnerabilities. When building and deploying a mobile app through the Apple App Store and Google Play Store, hackers may utilize the following attack vectors:
- Reverse engineering attacks that attempt to understand code-level application functions with subsequent searches for vulnerabilities, such as how to call the API outside of the app to steal data or inject bad data into the system. Reverse engineering efforts may use app decryption or network analysis.
- Credential theft via stolen login credentials and subsequent application access to gain information about a user or make purchases on their behalf. For financial applications, protection beyond login credentials is important. Plan to track users’ behavior variances, even when they appear to access the system legitimately, and put in place additional protections like validation of the equipment on which the app is running.
- Running the mobile application on a rooted device: This action grants hackers greater access to a mobile application.
- Mobile hacking efforts could include malicious inputs like SQL injection, inspection of local files the application stores and local connection to an on-device SQLite database to look at data. Encrypting all locally stored data can help protect the data, barring the presence of vulnerabilities in protection for API key chains and details around encryption.
- Using network sniffers to inspect network traffic and transport layer protections: This is a key method for sniffing out vulnerabilities like session IDs exposed in GET methods, along with API keys in inaccessible folders and authentication vulnerabilities in the absence of properly implemented SSL/TLS.
Installed Client Application Vulnerabilities
When applications need to work offline or offer specific features that don’t work well in web and mobile environments, enterprises may choose an installable client application. In this instance, staff members download and install an application on their personal Windows or Mac computers. Some common attack vectors for this type of application include:
- Monitoring for sensitive data exposure like data in memory, application logs with sensitive info or files with important information.
- Injection attacks like SQL injection, operating system commands, XML configuration strings or LDAP commands.
- Authentication and session management hacking that can result in access to the device, drives or network file shared through mismanaged applications authentication.
- Exploitation of vulnerabilities created through improper cryptography implementation like outdated crypto algorithms and reuse of crypto parameters.
- Insecure communications with server or cloud-based backends, including weak TLS ciphers/protocols, unencrypted DB queries in transit or unencrypted http or MQTT traffic.
- Use of open source libraries, worsened further when the application is set to auto-update libraries with new releases.
Protecting your software
There’s no one-size-fits-all approach to hardening or protecting applications. Every component of an application’s architecture has unique security vulnerabilities, and each application and its individual components should undergo evaluation if the application has private information about users, customers, employees or company dealings or if it facilitates private transactions. A security review of application architecture prior to implementation — or even retroactively for existing applications — is key in minimizing security risk up front and putting protections in place as the app is being designed and built. Even with a security review, an app should go through a battery of security penetration tests. Rarely are engineers up to date with the latest security vulnerabilities, and testing is the best way to catch issues that might otherwise escape notice.
According to the IBM report, organizations in later stages of security implementation fared better at containing data breaches. For these enterprises, the duration of these breaches lasted, on average, 40 fewer days than the 277-day global average and 64 fewer days than those at organizations in the earlier stages of securing their systems.
Meeting with a software solutions team for an evaluation is the first step toward making sure your company falls in the secure category. Take initiative now, and you could very well keep a security issue from sidelining your operations in the long run.
Thayer Tate
Chief Technology OfficerThayer is the Chief Technology Officer at SOLTECH, bringing over 20 years of experience in technology and consulting to his role. Throughout his career, Thayer has focused on successfully implementing and delivering projects of all sizes. He began his journey in the technology industry with renowned consulting firms like PricewaterhouseCoopers and IBM, where he gained valuable insights into handling complex challenges faced by large enterprises and developed detailed implementation methodologies.
Thayer’s expertise expanded as he obtained his Project Management Professional (PMP) certification and joined SOLTECH, an Atlanta-based technology firm specializing in custom software development, Technology Consulting and IT staffing. During his tenure at SOLTECH, Thayer honed his skills by managing the design and development of numerous projects, eventually assuming executive responsibility for leading the technical direction of SOLTECH’s software solutions.
As a thought leader and industry expert, Thayer writes articles on technology strategy and planning, software development, project implementation, and technology integration. Thayer’s aim is to empower readers with practical insights and actionable advice based on his extensive experience.