2017 was no stranger to application security threats, with some of the biggest hacks, to date, taking place. In fact, during the third quarter of 2017 there were  more than 230 million web application attacks on websites in the U.S.

Despite these figures, a 2017 study on mobile and IoT application security found that only 30% of organizations allocate sufficient resources to protect mobile and IoT applications from security threats. Only 20-30% of mobile and IoT applications are being tested for vulnerabilities, with many waiting until production to perform vulnerability testing.

Organizations must take a proactive approach to identify and address application security vulnerabilities before they are exposed. While this requires additional time and money up front, the cost, time, and damage to your reputation that an application hack brings is a much greater burden to bear

With so many threats out there, achieving application security can be overwhelming. To help you focus your efforts, here is a look at some of the top 2017 application hacks, as well as the emerging 2018 application security threats requiring your attention.

The top 2017 application security threats

As we look back at 2017, two application security threats stand out and warrant a closer look – outdated patches, and underprotected APIs.

2017 saw both public and private companies – as well as government agencies – failing to stay up to date on patching their software and servers. The best way to demonstrate the risks associated with this is to look at an example of what can go wrong.

The consumer credit reporting agency Equifax fell prey to an exposed vulnerability that resulted from its failure to install an update. Specifically, the hack was the result of the Apache Struts Remote Code Execution (RCE) vulnerability.

Apache Struts is an open source framework for creating web-based Java applications. A vulnerability existed that allowed a remote attacker to inject operating system commands into a web application through a Content-Type header. This specific vulnerability was identified some time ago, and a patch was released in March 2017. Equifax failed to install that patch to address this well-known exploit.

The missing patch rendered the application server hosting their web application vulnerable, and an attacker was able to get in. The result was one of the worst hacks of all time, impacting an estimated 143 million Americans. The information stolen included names, addresses, credit card numbers, Social Security numbers, and other personal information.

This application hack could have been easily prevented with a verification process to ensure software patches had been done, and were up to date – this was a failure of process, and not of technology. As a result of this hack, the U.S. Senate is currently seeking to increase fines on credit reporting agencies in an effort to curb data theft occurrences and increase the priority placed on application security in the industry.

So what can you do to protect your business from outdated patches in 2018? Follow these steps:

  • Perform regular vulnerability scans and audits of your software, particularly Internet-facing applications
  • Implement a formal plan for patch management to ensure someone is in charge of ensuring patches are up to date
  • Use application security vulnerability tools to scan your application for vulnerabilities – and remember that this includes not only the code that you write, but all of the third-party libraries and components (like Struts) that you use

Another top 2017 application security threat was underprotected APIs. Application programming interfaces (APIs) are a means by which separate applications and services speak with one another. They typically have little protection beyond a firewall, making them subject to vulnerabilities by which malicious information can be sent into, or pulled out of, a program or an application.

APIs have become more popular in recent years, with developers using them more often when building applications – often as a way of making their services or data available for sale to other applications. Unfortunately, they are being implemented into web applications without much thought being given to security. To add fuel to the fire, underprotected APIs are often not part of the traditional application security testing process.

Hackers are capitalizing on this trend, targeting APIs because of their increased use and lack of security. This application security threat has become big enough to warrant OWASP to add “underprotected APIs” to its Top 10 Application Security Risks list, which was recently updated in 2017.

To protect your business from this application security threat, you should:

  • Ensure that all data is coming from expected sources
  • Ensure that all data is formatted in the proper manner
  • Add stronger authentication code to your APIs
  • Add access controls to your APIs
  • Include testing of your APIs in your formal appsec testing process

2018 application security threats

There are also a few application security trends from 2017 that we expect to increase in occurrence during the coming year. Understanding these 2018 application security threats, and how you can protect your applications against them, are essential to application security.

There are four 2018 application security threats we expect to see rise to prominence:

  1. Using components with known vulnerabilities

In an effort to embrace the Agile development process, application developers are starting to leverage application frameworks based on long-standing languages such as JavaScript. This allows developers to create and prototype applications quickly.

But these frameworks often rely on a large tree of intertwined dependencies, and can pull in components from unknown sources across the Internet – opening the applications to threats. One such JavaScript framework is node.JS, which allows web application developers to use a single programming language for both client-side and server-side scripting.

Developers tend to rely more on the popularity of a given JavaScript library to determine its security, making the false assumption that if a lot of developers are using it, then it must be secure. This is a flawed approach.

Within a framework, one library may depend upon another, creating an intricate chain of dependencies. Deep within these chains there may be libraries that have poor security protection in place, or may even be susceptible to several types of malicious behavior, opening them up to what are known as supply chain attacks.

An example of this kind of supply chain attack would be if a hacker gets into the computer or online repository of a JavaScript developer who owns one of the libraries in the node package management (NPM) repository (a collection of node.JS packages). The hacker can inject malicious code into that library, infecting all those who are using the library as part of that given package. You quickly see the cascading effect this can have, from an application security standpoint.

Proactive steps can be taken to prevent this type of attack:

  • Pull in packages you want to use, and mirror them locally in your development environment, rather than pulling them directly from the internet every time you build. In other words, do not build and deploy from the internet.
  • Use application vulnerability tools to locate vulnerable packages in your local repository. For example, the OWASP Dependency Check tool is an open source application that can scan your code base for outdated libraries it may be using.
  1. WordPress and other Content Management Systems

WordPress and other Content Management Systems (CMS) are ripe for more of these supply chain attacks, and we can expect an increase in 2018. WordPress comprises more than 25% of all websites on the internet, making it a huge target. It also represents the majority of CMS-related vulnerabilities, with a 400% increase in such vulnerabilities between 2016 and 2017.

Third-party plugins are the primary culprit for these vulnerabilities, with 75% of those reported in 2017 coming from this source. Plugins are particularly susceptible to security threats, with plugin developers being targeted directly by hackers through “spear phishing” attacks.

In this scenario, a developer can unknowingly get hacked – through an innocuous-looking email for example – enabling the hacker to steal browser cookies that could provide an avenue to insert malicious code changes to the developer’s plugin code. The hacker can then push out changes to the plugin that contain malicious content, infecting all those who use it.

Plugins have also been purchased from a developer by someone with the express intent of using it for malicious purposes. The buyer typically appears as though they want to help and improve the plugin, only to use it for malicious activity after the sale is complete.

To decrease your chances of falling victim to this threat you should:

  • Only use plugins from the official WordPress repository, as they have taken some steps to verify the plugin code
  • Avoid using aging plugins that have not been updated recently, and appear to be “stale”
  • Choose plugins that have positive feedback and reviews in the WordPress repository
  • Apply plugin updates as soon as they are made available
  1. Cross-site scripting (XSS)

Cross-site scripting (XSS) is one of the most common vulnerabilities in web applications, and is expected to be a major threat in 2018 as the popularity of JavaScript frameworks increases. While XSS is often benign, it has the potential for malicious use.

XSS allows attackers to execute scripts in the visitor’s browser on behalf of a vulnerable website, unbeknownst to the user. They can be redirected to malicious sites or made subject to other malicious activity, such as having their cookies stolen.

The reason we expect a rise in 2018 is that XSS often occurs in JavaScript. As previously mentioned, JavaScript frameworks are gaining in popularity, so as their usage increases, so will the incidence of XSS.

The rise of cryptocurrencies is also contributing to increases in XSS threats. Hackers can use XSS to mine for Bitcoin or other cryptocurrencies by stealing the processing power of other computers. This cryptojacking will further contribute to XSS incidents.

The key point to keep in mind to protect yourself against XSS is that it is easily identified with application security testing tools. So employing  these tools as part of your security testing process is important.

  1. IoT vulnerabilities

The sharp rise in IoT devices such as smart TVs, Google Home, and Amazon Alexa means that individuals are connected online at all times. This makes them a more desirable target for hackers.

Many vendors selling IoT devices do not secure them properly, leaving this job up to the buyer. But many home users and even businesses do not understand how (or take the time) to change default login credentials and secure their WiFi network. It then becomes simple for hackers to get into these devices and wreak havoc.

Staying safe from IoT vulnerabilities in the home or office requires that you:

  • Secure your WiFi network
  • Change credentials regularly
  • Apply updates to firmware and software as soon as vendors make them available

What you need to do from a high level

Keeping in mind the specific actions that can be taken for each data security threat covered here, there are also some more general steps you can take to ensure your overall application security:

  • Plan out security requirements for your organization
  • Create a security strategy that defines roles and tasks
  • Perform regular application security testing. This involves:
    • Identifying vulnerabilities
    • Assessing whether they are exploitable
    • Determining the risk and priority level
  • Have a plan in place for remediating vulnerabilities
    • Who is responsible?
    • How will you track progress?
  • Have a plan in place for responding to security incidents if they do occur

Having such a high-level plan, along with the more detailed steps that can be taken for the threats that will permeate 2018, will increase your protection from application security vulnerabilities in the coming year.