6 App Security Trends from OWASP Top 10 2019
When science fiction writer William Gibson wrote his debut novel Neuromancers in 1984, the dark world of cyberhackers wasn’t nearly as robust as it is now. “Cyberspace,” he wrote in his novel, is “a consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts.”
There is a romantic feeling in the counterculture of illegitimate interlopers who daily attempt to interfere with the legitimate affairs of the internet. The digital dance between application creator and cyber-bad-guy will continue its back and forth into the future.
It’s not true that no one can predict the future. We can predict as much as we want, but how the future of web security will shake out remains to be seen.
Loads of Encryption
We might have gotten by in the past with sending data across insecure connections in clear text. But the risk remains high, and cybercriminals are getting more sophisticated each day. A variety of tech experts suggest some protective measures in the form of increased encryption. Technologies on the list include two-factor authentication, IoT product security, blockchain, and biometrics.
In OWASP’s Guide to Cryptography, the authors identify four cryptographic functions to consider when implementing data protection:
OWASP says most security breaches come from exploiting mistakes in implementation. The trick is to use proven encryption tools. And the National Science Foundation suggests three new methods of encryption: the deceptive honey encryption, function encryption with restricted secret keys, and the futuristic quantum key encryption.
From Connections to Applications
The information technology community long ago adjusted to the ubiquity of internet connectivity. Getting online is a given now, and IT support personnel are no longer so concerned about keeping connections up as they are about keeping services online.
The trend will continue as a host of software is released to the cloud through virtual devices and microservices. The links themselves are less of a concern now than the important application traffic that crosses them.
Traffic that may be hijacked, blocked or otherwise interrupted can now be easily rerouted or reallocated to other network resources without skipping a beat. But tampering with the application itself in the processing of data — that’s where the danger lies.
The Open Web Application Security Project (OWASP) was formed in 2001 with the dedicated purpose of “enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” The connectivity issues that web application experts speak of are not the Layer 2 and Layer 3 issues of the early internet. Rather, application layer links have become more of an issue than the underlying infrastructure. If content is king, then the applications that produce it must also be somewhere in the royal family.
The Changing Threat Landscape
The future of web application security is not solely up to the security experts. The cyber offenders have their own say in what cybersecurity will look like in the coming years — simply because they will continue to trigger it. The move toward widely distributed computing also plays a major part in how future cyberbattles will be fought. It’s not only mobile computing that creates vulnerabilities, embedded chips in devices from automobiles to factory robots present problems for developers who neglect to build in adequate security.
And there are plenty of back doors for clever bad guys to enter as the digital revolution continues. The Internet of Things (IoT) and 5G are only two of the technological realities that face the security industry over the coming months and years.
Developers must learn to think like hackers. Or at least they may want to hire white hat hackers to test their applications to ensure that they are ready for public release.
The fact is that IT is no longer restricted to the caged confines of the data center. Many applications are out there in the public space. And those that are not may reside on servers whose ports are opened to allow users to access internal functions.
It’s not your grandfather’s internet. Open internet environments require beefed up security at every conceivable point. It’s a good thing that machine learning and artificial intelligence are now at work in the implementation of robust network security.
On the other hand, the enterprise won’t be the only ones to have the power of AI at their fingertips. The risks are frightening, as explained by Information Week’s Dark Reading author Satish Abburi:
“Hackers and CISOs alike have access to the power of these developments, some of which are turning into off-the-shelf offerings that are plug-and-play capabilities enabling hackers to get up and running quickly. It was only a matter of time before hackers started taking advantage of the flexibility of AI to find weaknesses as enterprises roll it out in their defensive strategies.”
Everyone knows that most hackers are misguided, but they are not dummies. The general profile of a dark cyber actor is of a person who is quite familiar with geeky, computer-based technologies. Hackers who get their hands on AI and machine learning can do even more damage than they are already doing.
The potential power of one person to target and destroy online data or infrastructure is great. As Abburi writes, it’s entirely possible for good software to turn bad, used for illicit or destructive purposes. When these technologies get into the wrong hands, it can be calamitous.
Web Application Firewalls
An application firewall sets rules for the internet traffic running across it. More IT departments are looking to web application firewalls (WAF) to detect protocol anomalies and defend against attacks. Traditional firewalls and intrusion detection systems (IDS) that work at lower levels to close TCP ports and detect illegitimate access may be powerless against the web application attacks of today.
Deep packet inspection (DPI), a much more intense assessment of network flow that a network firewall could perform, could yield interesting results as AI and machine learning are put to work in analyzing data.
Such attacks as SQL injection and cross-site scripting can now be identified using today’s sophisticated tools. Both whitelisting and blacklisting can be used to target known hackers, their organizations, and their origination points. It’s a matter of staying ahead of the hacker enterprise, and, maybe, becoming just a little smarter than they are.
Everyone Needs to Play Defense
Certainly we’ll never be able to protect ourselves against all the possible threats that we may face in our digital activities. But we should never let down our guard. We always need to stay at least one step ahead of the bad guy if we want to survive. It’s a shame it has to be that way. But accepting online realities as they are means that we see the need to be as prepared as possible to address them. And protecting applications is now priority one.
Using online services is what it’s all about. Every internet user in today’s digital world should keep up with both the threats and the possible solutions. Everybody needs to pitch in if we want to make application security a success for the next generation of users.