Editors Note: I’ve been writing a lot about application and web security quite a bit lately, and that’s on purpose. There’s never been more attacks on our personal and private information.  These attacks are comging from not only lone hackers but also from state-supported groups and intelligence agencies. This guest post gives a good overview of what’s been going on and a little on the tactics we can take to combat these activities. This isn’t an exhaustive treatise on how to secure your applications. It’s more an intro course on the topic. It’s a springboard for you to dive into this vast and quickly-evolving world.


Application Security — Cutting Edge Or Critical Failure?

How secure are your applications? While you might be confident about apps designed in-house, what about third-party software for desktops or mobile apps made using open-source code? Are current application security methods doing enough to meet the threat of cutting-edge cybercriminals, or are companies facing critical failure?

Continuing Compromise

At the beginning of March, information-sharing site WikiLeaks published what could be the largest release of CIA documents on record, if the 7818 pages and 943 attachments actually belong to the spy agency.

Non-denial denials aside, however — according to spokesman Don Boyd, “We do not comment on the authenticity or content of purported intelligence documents.” The released data contains a number of application attacks that could presumably net access to almost any device around the world. For example, some files contained instructions for compromising computer applications such as Skype, commercial antivirus programs and even PDF files. Applications such as “Wrecking Crew,” meanwhile, could crash targeted computers while others claim the ability to breach both Apple and Android smartphones, in turn bypassing the encryption offered by tools like WhatsApp, Signal or Telegram. It doesn’t stop there, though. A program code-named “Weeping Angel” — which the documents claim was developed in partnership with British intelligence — supposedly used Samsung smart televisions to listen in on conversations even when the device appears to be turned off.

There’s also another level of concern here: An authentic leak means that even CIA servers and storage solutions aren’t of reach for interested hackers. If the vaunted spy agency is at risk, what’s the downstream consequence for the average application or device?

Emerging Threats

While the WikiLeaks story may be top of mind given its high-profile target and potentially dangerous app attacks, it’s not exactly an outlier: Applications across multiple industries and government agencies are now under threat.

Consider the rise of connected-vehicle applications. Recent research suggests that Android-based connected car apps could be easily hacked if attackers gain access to rooted phones or convince users to download malicious files. Once in control of the car app, cybercriminals could leverage the tool to gain physical access without setting off the alarm. Seven of nine car apps tested were vulnerable. Research firm Kaspersky noted that the problem didn’t stem from code flaws but a simple lack of defense. According to security researcher Victor Chebyshev, these apps are “controlling very valuable things for the user, but they’re not thinking about security mechanisms.”

North of the border, meanwhile, the Canada Revenue Agency (CRA) was forced to temporarily shutter its online services and mobile applications after a vulnerability was discovered in Apache Struts 2, an open-source software tool that is widely used by government and private sector agencies alike. While there’s no evidence of lost or stolen data, it’s a sobering reminder that even popular (and presumably well-tested) applications can put companies at risk.

The Speed of Security

As noted by Dark Reading, the recent CIA breaches, vulnerable industry apps and open-source issues make the case for app security as “pre-industrial,” since it lacks the ability to handle attacks at scale, focuses mainly on vertical threats, and includes a “vast landscape of tools and point solutions.” Plus, without effective standardization and specification, these tools are ad hoc at best and may not successfully address the accelerating speed of security threats.

Top Tactics

The first step in shifting app security from critical failure to cutting edge? Identifying key threat vectors. For example, both DoS and DDoS attacks are on the rise, with 53 percent of security pros saying these threats are among their top concerns. In addition, 60 percent of apps are vulnerable to SQL injection, allowing hackers to gain access and take control. More than 50 percent of web applications still allow cross-site scripting (XSS) attacks. Companies aren’t doing themselves any favors when it comes to design and testing, with stock permissions and APIs opening the app door to hackers even as timid testing of apps assumes that internal code offers superior protection.

Bottom line? Apps are vulnerable and software security isn’t keeping pace. Pushing app protection into the present demands a hard look at current targets and a better understanding of top application threats.

For more information on application security threats and how to handle them, review the accompanying slideshow from Column Information Security.

Author bio: Nori De Jesus is Global Director of Marketing at Column Information Security. De Jesus brings more than 20 years of experience as an advent marketer and business strategist working with software manufacturers and launching proprietary software solutions into the market. With expertise in BPM and case management B2B marketing, she focuses on innovation and making a difference by maintaining agility as the technology climate continues to shift. De Jesus is an evangelist in educating buyers through their technology-purchasing journey via content and research.

In this day and age of websites being hacked, personal information being stolen, and companies large and small being targeted by hackers around the world, you would think most developers would go through their systems to make sure they are following best practices when it comes to security.

I understand “security” is big and scary and has many layers. Let’s start with something easy: passwords.

Facepalm for bad password securityLast week, I signed up for a service. I’m not going to put them on blast, but after I signed up, I received an email with my new account information, including my password.

My heart skipped a beat.

That’s very bad.

If you get an email from a website, large or small, and it contains your password, be very wary. In the vast majority of situations, they are not storing that password in a secure way.

When I pressed them, they said it wasn’t a huge deal because they weren’t storing credit card details in there.

The reality is this: it doesn’t matter what you are or aren’t storing in your database or application. If you have weak security in one place, you have weak security everywhere. I would hazard a guess that the password strength and security for the other servers on that network aren’t great either.

So why do companies launch web applications with terrible password security? Some of it may be lack of knowledge, but that excuse is harder and harder to believe in today’s world.

For some companies, that’s the way its always been done. For others, they store passwords in plain text to make life easier for customers who have lost theirs. They think it’s easier to give them their password as opposed to reset it.

Finally, there’s cost. If have to retrofit your web application to store passwords securely, there is time and effort and resources needed to do that. Company executives may not see the return on investment, which is unfortunate.

One of the most popular posts on this blog was on I did in 2008 about passwords. Specifically, you should never store a user’s password in your database as plain text. This means not saving in  your database or text file exactly what the user typed in.

When developers store passwords this way, and an unauthorized person gains access, that attacker needs to do no work to get all user data. This comes from MediaTemple, who was hacked in 2009 and it was discovered they were storing passwords in plain text.

“Clear Text” is a method of storing passwords in a database so that they are human readable. This preference was made to provide customers a convenient way of managing access to their services, e.g. connecting a PHP app to MySQL. The “clear text” method can be less-secure than methods involving “encryption”, where passwords are not human-readable. This is less convenient for customers, but adds a layer of security. Properly secured databases can store passwords using either method, with the information kept private. However, if a database gets compromised, the encryption method is the only way to keep the information secure.

If you want to securely store your passwords, use a decent hashing algorithm, use a salt, or use a strong password library such as Bcrypt. Don’t store them as plain text. It isn’t hard, and it will help secure the information your users have trusted you with.

I think it’s fair for users to think that sites they give their personal information to will keep that information secure.

Facebook StoriesIt seems like all the major social platforms are working day and night to copy each other’s features. Lately, it seems they all have their sights set on the newly-public Snapchat, who launched their stories feature ages ago. Instagram soon followed,  and this week the mighty Facebook is launching a story feature.

Stories are not a new concept – users can now post images, videos, and more to a “story” as opposed to their news feed. These are intended to be ephemeral, lasting a few hours or a day, and then the disappear. Users can send these to all their friends, or like Snapchat and Instagram, direct them a specific user.

Facebook will allow drawing, stickers, and more to be added to photos. Facebook’s spin on the story will include a feature they are calling “masks,” which is a lift of Snapchat’s filters feature. Snapchat’s filters are fun but they have some pretty serious science behind them. Here are a few examples of masks Facebook will ship:

Facebook Masks

As you can see, they will be heavily advertiser focused. In the example above, you can see an Aliens move tie-in, Minions, and Guardians of the Galaxy. These IPs all have new movies coming out this summer. After all, Facebook is an advertising company, first and foremost.

Here’s what I thought when I saw this news this morning. If every platform and tool has an ephemeral stories feature, then none of them do. My time is limited, and now I have to think about what platform I should or need to post my stories on. None of them? All of them? Where do I reach the most amount of people?

For example, for some reason, I have a huge following on Snapchat. Literally tens of thousands. I post stories there and they do well with many views. Now, with Facebook launching stories, will that audience erode? Do I have to post the same content on Facebook where I reach less people, or do I focus my limited energies on the platforms where I already have brand value?

And that’s me as an individual. This is going to add a whole new layer of complexity for brands, institutions, and companies. They will need to decide where it makes sense for them to spend their time and resources to reach their key audiences as well. The Verge says this:

Where to post your daily story now becomes a daily concern for a certain subset of youngish, social media-savvy people. Facebook says stories belong everywhere that people are talking online, but what if the format is a fad? And what if forcing it on users across its entire family of app leads to a general fatigue with the idea? The company says each of its apps has a distinctive audience, and I believe it. But there’s also plenty of overlap. There’s a risk here that Facebook’s mania for stories will be interpreted as overkill by its users, and the feature will ultimately fade into the background. (This happened with live video!)

This stories war has the potential to also create confusion among users. If Facebook puts a large amount of attention and advertising around the Stories feature, will that slowly decrease the amount of news feed posts people and brands are doing? Will brands want to spend money to promote their posts to news feeds if the traffic isn’t there to see it?

Personally, I’m all for stories if it stops people posting freebooted videos and “inspirational” quotes on their news feeds.