By Venkatesh Sundar, Chief Technology Officer, Indusface
So farewell then, to 2014. This year has been a tremendous cocktail of vulnerabilities and exploitations with big names like Sony, eBay, and Amazon falling prey to security breaches. The likes of Shellshock and Heartbleed came in as a surprise to even the most equipped security companies giving a sneak-peek of what the world might be facing in the coming months.
In fact, the breaches made in last years have made even the small and medium-sized organizations look into the gravity of security concerns. The presumed ‘safe’ zone and app security compliance has seriously been dented.
And now for the coming year, if one can predict anything with certainty, it will be carrying on with the last year’s trends.
Logical Flaws Exploitation
Attackers have already learned that even average developers are getting aware of CSRF and XSS issues and trying hard to keep them in the system. That is why attackers will be looking into newer exploitation methods in 2015.
Last year in September, an Egyptian security researcher Yasser H. Ali has already demonstrated how just one click is enough to bypass CSRF Prevention System to hack PayPal accounts. Organizations can expect similar attacks where hackers will be looking into an issue with logic in coding rather than actually exploiting a known vulnerability. Protecting against such hacking is definitely going to be more difficult.
For many years, developers and security researchers have trusted OpenSSL and UNIX more than they should have. However, Shellshock and Heartbleed showed them how exploiting vulnerabilities in UNIX Bash Shell and OpenSSL cryptographic library can help breach into secure systems, which consecutively led to severe concerns in the web application security world.
In the coming year, more of such vulnerabilities will be discovered and exploited. Attacks on trusted applications and organizations will heighten.
Cloud Storage Risks
Cloud technology promises a lot of things, but at the same time it poses several threats too. Storing all of the organizations data on cloud can compromise information, which has already been highlighted in the previous year when iCloud was allegedly hacked sometime in the October.
More individuals and organizations will be shifting towards cloud computing, which also involves cloud-based web applications and their penetration risks.
Many organizations believe that compliance with OWASP Top 10 Vulnerability List is the ultimate security measure. It has never been the complete truth and in 2015 most organizations will have to realize this fact.
John Pironti, president of IP Architects, explains that compliance should be a start point. He says that it’s just a baseline security posture and organizations will need to look beyond that and develop a security trend on their own.
Darknet services including Deep Web have troubled lawmakers across different continents, but what’s more disturbing is the fact that such tools are available on access forums where black hats meet. If one gains access to such forums, peer-to-peer network loop software for eluding detection are easy to purchase or exchange. Even an amateur hacker with hands on Tor, Freenet, and I2P can cause a lot of damage.
A collection of such crimeware will pose as a serious threat to intelligence agencies all across the globe. From business’ point of view too, availability of crimeware is catastrophic.
Third-Party Application Risks
In the coming year, majority of businesses in the country will discover the benefits of purchasing coded applications rather than developing them in-house As a result, security issues associated with these web apps will multiply by several times. To educate organizations, Gartner is even organizing a Security & Risk Management Summit in early 2015 that will highlight application security along with operational technology risks.
Just like last year, injection, broken authentication, and cross-site scripting will pose the biggest threats with such web-based applications.
Total Application Security: Logical Security Successor
As the complexities with web application security get fierce, traditional defense mechanisms including regular firewalls and malware detecting solutions will not be sufficient in the coming year, 2015. Of course, these defense systems remain an integral part of the whole web application security process, but Total Application Security architectured around Detect, Protect, and Monitor will prove to be pivotal. Enterprises need to adopt more holistic, integrated security solutions that can continuously monitor and defend against emerging attacks. Indusface offers a unique service – Total Application Security (TAS), an integrated solution which can Detect, Defend and Monitor systems on a continuous basis 24X7.