Traditionally, security systems and cybersecurity efforts focused on infrastructure, and often worked in silos separate from application developers. This approach often left applications vulnerable and susceptible to attack, and cybercriminals are taking advantage, using the app layer as a favored attack vector.
“Attackers try to find the path of least resistance,” said Eugene Dzihanau, senior director, security practice lead at EPAM Systems. “Currently, the application security vector of attack allows for efficient attacks with minimal cost.”
As more than 80% of attacks now come through the app layer, there is a need for secure coding practices around the application layer, with vulnerabilities continuously remediated or mitigated during the development process and before deployment.
“Considering the amount of application development and the ever-increasing complexity and speed of development, this is not easy,” Dzihanau added.
How the Attack on the App Layer Works
Attacks often target business logic problems or underlying technology and security controls implementations.
“Typically, an attacker will manipulate application inputs to create unintended application behaviors that allow the attacker to exploit users of the application, its business logic, or its infrastructure,” explained Zach Jones, senior director of detection research at WhiteHat Security. For example, attacks on users include taking over their account or performing sensitive actions on their behalf, while attacks on application business logic include transferring negative amounts of money, which causes products to have negative quantities or prices.
An attack on the application’s infrastructure could be an unauthorized retrieval of information from the application’s database or execution of commands on the application’s back-end servers that allow attackers to gain a foothold and pivot their attack toward other internal or external targets that have implicit trust of the application. The damage caused by an attack on the applications layer will depend on the type of functionality the application contains and its level of access to other systems, according to Jones.
“Data theft, property theft, reputational damage and disruption of business operations are common outcomes of a complete application compromise, but not all attacks result in a complete compromise,” Jones said. “Applications can be abused in support of larger criminal operations, and individual users can be targeted for distribution of malware, ransomware, blackmail campaigns, or other types of fraud. In these cases, the impacts and costs of such an attack may not be immediately visible to the application’s operators.”
Direct costs, like theft and asset losses, typically constitute only a tiny portion of total damages, Dzihanau pointed out. The more serious costs surrounding the attack come from the disruption of normal operations, loss of productivity, loss of revenue due to downtime, incident response and technical support costs and fines imposed by regulators.
“However, more considerable losses are associated with brand damage and loss of customers. A lot of customers will not do business with a company that repeatedly failed to protect their data,” Dzihanau said.
How to Protect the Application Layer
Protecting the application layer begins with taking a more holistic approach to security, with security controls implemented throughout the entire development lifecycle. “A layered approach to security works the best. Security in applications needs to be addressed fundamentally through a continuous application security program,” said Dzihanau. “With trends like infrastructure-as-code and fully automated DevOps pipelines, the delineation between applications, infrastructure and operations blurs. Everything becomes code; application security programs and cloud security programs should be carried together, ideally as a holistic initiative that addresses security in the modern software landscape.”
To do this, organizations need to mature their software ideation, development, testing and operations to include security and risk management considerations, as well as build proficiency in areas such as threat modeling, risk quantification, security requirements gathering, security testing, vulnerability remediation and application layer security monitoring.
“Organizations should focus on a continuous and iterative approach of setting, measuring and achieving maturity goals in these areas instead of trying to achieve an impossible application security nirvana,” said Jones. “Like all security disciplines, successful application security is about risk management, not complete risk elimination.”