/apr 9, 2015

Security Vulnerabilities: 3 Points of Entry and How to Lock Them Down

By Evan Wade

Not even the best fence in the world is secure if you leave a gate hanging open. In a lot of ways, that basic idea sums up why most security vulnerabilities start with perpetrators finding relatively small security oversights. Attackers prefer the path of least resistance, and getting a proverbial foot (or even just a toe) in the door can allow them to leapfrog toward things they never would've been able to access otherwise.

Although security vulnerabilities can come in endless shapes and sizes, the good news is the crucial first steps attackers use to exploit them often come from a few specific areas. Here's a look at three popular points of entry, the ways in which shady characters can abuse them, and what you can do to keep them locked down:

1. User Input Areas

It's easy to see why user input areas such as forms (think registration pages and login areas) can cause headaches for security-minded developers: They let users directly interface with the servers behind websites and apps, vastly expanding the options available to data thieves and other less-than-savory types — assuming those input fields aren't properly secured, of course.

What does "properly secured" mean in this context? Lots of things, most of them far too lengthy and technical to cover in a single blog post. But the best high-level advice comes down to limiting how users can interact with the input areas they use, including disallowing excessive input (which limits the code attackers can potentially inject) and certain special characters (which can be used in that code), for example.

When two of the most popular security vulnerabilities around (namely SQL injection and cross-site scripting) rely on user input forms to work, you know they're a serious point of concern. If your users can enter text somewhere, make sure it's handled securely; if not, you can bet someone will find the problem for you sooner or later — and that's never good.

2. Legacy Sites and Apps

Technology is always improving, but that means it's also always becoming obsolete. From a security standpoint, that makes proper maintenance of "legacy" sites and apps (things like old marketing/promotional sites, outmoded employee web apps and so on) a critical security step. Even top-of-the-line security measures are eventually overcome, and you can't update your app perimeter if nobody remembers all the points of entry.

Take a look at Bell Canada's recent issues. Hacktivist group NullCrew didn't need anything special to breach a ton of customer data. Instead, they took advantage of the telecommunication company's decaying perimeter (partially built using a programming language that'd been dead for almost 12 years at the time of the attack), applying old-school tricks to access very new, very important — and very sensitive, if you're a Bell customer — data.

The key to avoiding this security vulnerability largely comes down to awareness and using thorough documentation and automated scanning solutions to ensure every inch of your application perimeter is secure. The same goes for any companies yours might absorb. Just because your employees and customers aren't using something, doesn't mean attackers aren't.

3. Third-Party Components

Ensuring third-party vendors and off-the-shelf software components adhere to the same security standards as your first-party pieces is a never-ending challenge. Much of the problem here comes down to the aforementioned "leapfrogging": By gaining access to some aspect of a connected third-party product or service (a database on a poorly secured server, for instance), attackers can use the information they gain to attack bigger, more secure first-party targets.

Fortunately, options to secure third-party offerings are highly varied and hugely scalable. If you're using off-the-shelf pieces or working with a vendor who doesn't provide code, static analysis allows thorough scanning without the need to see the source. If you're worried about a vendor's overall approach to security, programs such as VAST take the reins for you, providing expert advice and administration. From there the list goes on.

By definition, first parties can't exert as much control over vendors and third-party products as they do their own developers, but that doesn't mean those products need to be any less secure. The whole point of proper security is eliminating every weak point — irate customers won't turn to your vendors when a breach does happen, after all.

Lock the Gate

Security vulnerabilities rarely start with difficult, highly technical exploits. Instead, it's the small cracks that turn into gaping holes. By eliminating minor issues, you're not only preventing small annoyances from running your company's day, but you're also stopping the big-time breaches and large-scale thefts that can seriously damage a company's name, standing and bottom line. In other words, do sweat the small stuff, and don't be afraid to ask for help if you need it.


Related Posts

By Evan Wade

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.