Security is a game of advancements. All too often, the adversarial relationship between attackers and defenders pushes that game to a breakneck pace. Whichever side is on the leading edge of the technological curve won't have an advantage for long.
While this dynamic can spur organizations to be consistently vigilant, at least on the white hat side, it can also lead to the assumption that a company's security efforts with application layer should start and stop at the newest pieces in its portfolio. Think of it as an "if it ain't broke, don't fix it" mind-set gone wrong. There's nothing wrong with using legacy software if it gets the job done, but failing to keep security measures consistent and updated across the entire application layer is asking for trouble.
A CA Veracode case study, entitled "A State Government Protects Citizen Data by Securing Applications," illustrates this point on a very large scale. Spurred by pressure from citizens and internal concerns regarding compliance with regulatory mandates like the Health Insurance Portability and Accountability Act, the state government described in the paper could have attempted any number of measures to secure its data and systems from breaches.
The primary goal handed down from the state chief technology officer didn't involve "legacy system modernization [or improvements to] data warehousing," the paper says, though those measures did play into the state's overall plan. Instead, they hardened against the vector that attackers choose most frequently by making the application layer their number one focus.
The shift in focus worked in a big way. The state government was able to identify and resolve some 28,000 vulnerabilities from its once-tangled application layer, the paper explains, getting 77 percent of applications in compliance with newly mandated security rules in the process. Compared to the costs and other growing pains associated with overhauling systems, the new measures helped the government reap best-of-both-worlds benefits: the ability to stick with existing software and associated end-user processes without sacrificing security to maintain quality.
Those numbers are eye-opening enough, as was CA Veracode's ability to both define and secure an application layer touching countless levels of an entire state government's operations. But for businesses looking to strengthen perimeters, the part about the layer's status as a popular attack vector is perhaps the biggest call to action.
Generally speaking, attackers will use the path of least resistance when attempting a breach, and the app layer represents just that. Increasingly popular enterprise tech policies like bring your own device and single sign-on, combined with the historic and still growing proliferation of mobile data devices in business and personal settings, make it a prime target.
Perhaps more troubling is the fact that even a small flaw in one application can serve as a springboard for bigger, more destructive breaches. In the state government's case, attackers gaining access through that single flaw could have led to mass theft of important data such as names, addresses and social security numbers, a threat that loomed over the head of employees and the state's residents. In the private sector, employees, customers and even third-party partners could suffer damages in the event of an attack.
The How and the Why
How do legacy applications play into this process? Simply put, they're potentially the riskiest properties in a company's perimeter. Besides potential susceptibility to attacks they may have been vulnerable to in the beginning — something a security-minded company will likely have fixed in subsequent offerings — they're also vulnerable to new attacks, not to mention new variations on old methods.
Though it's old in tech terms and thankfully resolved today, the Heartbleed exploit's discovery shows how old apps can fall victim to new techniques. For a while, almost every app using the SSL and TLS protocols was at risk; considering the open-source nature and use in countless applications, the bug's discovery understandably caused quite a stir, and left app makers scrambling to patch and repair before real damage could be done.
In other words, whether susceptible to widely used exploits or obscure bugs, there's a good chance older apps in a company's portfolio are vulnerable to something, especially if they haven't seen a high level of security scrutiny in some time. That alone necessitates strong security measures for all software in the application layer, whether it's been targeted in the past or not.
To be clear, securing newer applications and other work-in-progress brethren is just as critical to a business's AppSec success. The primary trait of a well-rounded perimeter defense is consistency: When every app in a company's portfolio is given the focus it needs, holes in the app layer become much harder to find. Review CA Veracode's case study to learn how to defend the perimeter from any number of angles.
Photo Source: Flickr