The likes of Shellshock and Heartbleed came in as a surprise to even the most equipped security companies giving a sneak-peek of what the world might be facing in the coming months.
In fact, the breaches made in last years have made even the small and medium-sized organizations look into the gravity of security concerns. The presumed ‘safe’ zone and app security compliance has seriously been dented.
And now for the coming year, if one can predict anything with certainty, it will be carrying on with the last year’s application security trends.
Logical Flaws Exploitation
Attackers have already learned that even average developers are getting aware of CSRF and XSS issues and trying hard to keep them in the system. That is why attackers will be looking into newer exploitation methods in 2015.
Last year in September, an Egyptian security researcher Yasser H. Ali has already demonstrated how just one click is enough to bypass CSRF Prevention System to hack PayPal accounts. Organizations can expect similar attacks where hackers will be looking into an issue with logic in coding rather than actually exploiting a known vulnerability. Protecting against such hacking is definitely going to be more difficult.
For many years, developers and security researchers have trusted OpenSSL and UNIX more than they should have. However, Shellshock and Heartbleed showed them how exploiting vulnerabilities in UNIX Bash Shell and OpenSSL cryptographic library can help breach into secure systems, which consecutively led to severe concerns in the web application security world.
In the coming year, more such vulnerabilities will be discovered and exploited. Attacks on trusted applications and organizations will heighten.
Cloud Storage Risks
Cloud technology promises a lot of things, but at the same time, it poses several threats too. Storing all of the organization’s data on the cloud can compromise information, which has already been highlighted in the previous year when iCloud was allegedly hacked sometime in the October.
More individuals and organizations will be shifting towards cloud computing, which also involves cloud-based web applications and their penetration risks.
Many organizations believe that compliance with the OWASP Top 10 Vulnerability List is the ultimate security measure. It has never been a complete truth and in 2015 most organizations will have to realize this fact.
John Pironti, president of IP Architects, explains that compliance should be a start point. He says that it’s just a baseline security posture and organizations will need to look beyond that and develop a security trend on their own.
Darknet services including Deep Web have troubled lawmakers across different continents, but what’s more disturbing is the fact that such tools are available on access forums where black hats meet. If one gains access to such forums, peer-to-peer network loop software for eluding detection are easy to purchase or exchange. Even an amateur hacker with hands-on Tor, Freenet, and I2P can cause a lot of damage.
A collection of such crimeware will pose as a serious threat to intelligence agencies all across the globe. From business’ point of view too, availability of crimeware is catastrophic.
Third-Party Application Risks
In the coming year, the majority of businesses in the country will discover the benefits of purchasing coded applications rather than developing them in-house As a result, security issues associated with these web apps will multiply by several times. To educate organizations, Gartner is even organizing a Security & Risk Management Summit in early 2015 that will highlight application security along with operational technology risks.
Just like last year, injection, broken authentication, and cross-site scripting will pose the biggest threats with such web-based applications.
Total Application Security: Logical Security Successor
As the complexities with web application security get fierce, traditional defense mechanisms including regular firewalls and malware detecting solutions will not be sufficient in the coming year, 2015. Of course, these defense systems remain an integral part of the whole web application security process, but Total Application Security architectured around Detect, Protect, and Monitor will prove to be pivotal. Enterprises need to adopt more holistic, integrated security solutions that can continuously monitor and defend against emerging attacks. Indusface offers a unique service – Total Application Security (TAS), an integrated solution which can Detect, Defend and Monitor systems on a continuous basis 24X7.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.