Threat X Labs - Blog

While application security has never been more advanced, one could argue that it has also never been more difficult. Keeping pace with the growth and evolution of applications, evaluating the endless number of available solutions, and recruiting the expertise to manage the solutions and evaluate the data are just a few of the challenges modern security teams face. The team at Threat X is comprised of engineers, developers, and security practitioners that have faced one of more of these challenges in their careers. That's what fuels our passion every day.

On this note, I am writing a multi-article series that addresses some of the key trends and challenges facing application security today and how security teams can adapt. In the first article, I highlight the shift in application development and integration, and the impact on security teams. In this article, I will dive into how new DevOps models are affecting security strategies and ushering in a new age of security tools. 

The Modern Age of Applications

Applications are the heart of most organizations. While you can think of data as the nouns of an organization’s story, applications are the verbs where the action takes place and the real work gets done. And the nature of those applications is changing dramatically - including everything from how they are developed, to how they are accessed, to how they are secured.

It seems that nearly every week, another IoT related security story is in the news. While most of the coverage still focuses on the hardware, organizations often forget the cloud infrastructure that connects the differing threads of IoT devices. These portals are a mega culprit in the complicated and risky security landscape. They are a modern day hacker's keys to your kingdom.

As I talk to customers around the world about securing their applications I've noticed a specific topic keeps coming up more and more often: Securing their APIs - both public and internal varieties. RESTful JSON APIs seem to be the most prevalent these days, but I still hear about SOAP and XML APIs, as well as some customers on the bleeding-edge with GraphQL APIs they want to protect. 

Over the past few years, web and application development has undergone a considerable change. Not only is application development and integration dominated by web and mobile-enabled solutions, but technologies like APIs and microservices are also breaking into the scene. 

While these recent advancements have increased connectivity and productivity, they have complicated application security for many organizations. From botnets to targeted attacks, web applications are the target and successful source for a growing number of malicious threats - nearly 10% growth YoY^*.

In a world that is increasingly fast-paced, continuously evolving, and especially competitive, the Internet of Things (IoT) has introduced an entirely new era of connectivity and productivity. For the most part, consumers and businesses alike would argue that the IoT has transformed our every day lives for the better. From optimizing business processes to automating monotonous, manual tasks, IoT devices are integrated in nearly everything we do. In addition to this, many organizations rely on a web portal for multi-device management. This convenience, however, comes at a cost.

There is an ongoing debate among security professionals surrounding the most effective ways to monitor, detect, classify, and ultimately, block malicious threats. Up to this point, the majority of security solutions hang their hats on monitoring and reacting to binary attacks or action. While this approach may provide the peace of mind that nearly every malicious attack will be blocked, it also results in ample false positives and disruption to legitimate prospect or customer web traffic. The frustration from security teams has prompted the search for another way. Enter, The Web Application Kill Chain. 

Last week, the Apache Software Foundation announced a new Apache Struts vulnerability (CVE-2018-11776) that looks just as bad as the one that took down Equifax last fall. When exploited, this vulnerability allows an attacker remote access of servers running an un-patched version of Struts (2.3 to 2.3.34 or 2.5 to 2.5.17). Thousands of companies running Struts were now potentially facing a serious threat to their systems. Those organizations without a WAF (Web Application Firewall) in place or those leveraging one with outdated signatures may be at risk of compromised systems and exposed data.