It’s difficult to imagine a world without apps when there are more than 5 billion smartphone users and around 9 million apps in use worldwide. Apps are a mundane reality in modern life that many are now taking for granted.
The increased reliance on apps, however, merits some scrutiny in the context of cybersecurity. Applications on smartphones and computers provide significant advantages and convenience, but they also add to security risks.
This is particularly true among organizations that are becoming increasingly more reliant on apps for their operations. “Security professionals face growing challenges as their organizations increase both the number of applications deployed and the pace at which these applications change,” as noted CISO Jonathan Nguyen-Duy wrote in an eWeek piece back in October.
A study cited by Nguyen-Duy indicates that nearly half of organizations use more than 100 unique apps, while around a quarter say that they use more than 500. There is an ongoing proliferation of apps among organizations, and this is making cybersecurity professionals wary.
The need to secure apps
The apps used by a company may have vulnerabilities that cybercriminals can exploit. The automated customer service platform an online retailer uses, for example, can become a way through which hackers steal customer contacts. An online store’s searchable product database can reveal information beyond product details and images.
The reflected XSS vulnerability on Uber’s page (https://lert.uber.com/s/search/All/Home”>PAYLOAD), for example, made it possible to execute malicious scripts because of the lack of input validation from the search field on lert.uber.com. This enabled the hijacking of session cookies from Uber users by making them click on a simulated link that points to Uber’s website. To detect and address this vulnerability, organizations need a competent team to continuously monitor apps and validate reports of possible security risks. It can also be detected and resolved through a runtime application self-protection (RASP) system to secure apps by default.
App defense systems like RASP protect applications as they are targeted with various schemes such as command injection, cross-site request forgery, CSS and HTML injection, JSON and XML injection, HTTP response splitting, HTTP method tampering, unvalidated redirects, malformed content types, as well as software supply chain attacks. Weaknesses such as insecure cookies and transport, vulnerable dependencies, poor browser caching and authentication, uncaught exceptions, and bad cryptography also make apps security risks.
Apps do more than what they are advertised to do, and not in ways that are advantageous to users. In particular, they can collect various information such as usernames, passwords, multimedia content, messages, information on places visited, and personal details including the 411s of customers or clients. Apps built without taking cybersecurity and privacy into account will likely end up sharing this sensitive information to bad actors.
Apps change constantly
Organizations need to realize that apps continuously change. Those that have not yet undertaken this strategy are not being updated particularly in response to emerging security concerns. App updates can be a chore especially when there are many of them.
Going back to Nguyen-Duy’s piece, it is worth highlighting the reality that most organizations tend to overlook the security implications of the rate of continuous integration or continuous delivery (CI/CD) for apps. He said that their study found that less than a quarter of organizations test the security of their apps every time there are code changes.
“On average, organizations publish 25 software updates into production every month. That means consistent and frequent threat and vulnerability testing is critical. Yet only 21% of respondents confirmed that they test every time the code changes,” Nguyen-Duy said.
Aside from making sure that the apps organizations use are secure, it is also essential to ascertain that their security holds after they are patched or updated. The protective mechanisms or features of the software can be easily impacted by the changes they go through over time.
Breaches happen more often than organizations think
According to a 2021 data breach survey, 94 percent of organizations have suffered data breaches over the past year. Many will likely be surprised by this finding. Most companies do not realize they have already been the victim of a cyber-attack or the incident they went through at some point was already an assault on their IT defenses.
After the alarming SolarWinds incident, cybersecurity professionals are becoming more vigilant in calling for stronger protections in the IT supply chain. A recent Dark Reading poll reveals that an overwhelming majority of cybersecurity professionals, at 78 percent, believe that security concerns are enough reason to delay app deployment, while 34 percent are convinced that attackers who have extensive knowledge of app vulnerabilities are the biggest threat to app security.
In light of the growing reliance on apps of businesses and even government offices worldwide, it is important to make app security a priority. The impact of security breaches through vulnerable apps does not only affect individual users. The adverse consequences do not only disrupt options, but they can result in serious reputational damage that is more difficult to fix compared to dealing with technical aftermath.
The responsibility for app security
Who should be responsible for making apps secure? Both the app developer and user have crucial roles to play. Application creators must be in tune with the latest cyber threat intelligence, so they can promptly release security patches as needed. On the part of users, they must update their apps as soon as they receive notifications for the availability of updates. At the same time, they need to observe best practices for app security to make sure they do not become the source of weaknesses that provide cyber criminals the opportunity to strike.
Even web applications, which account for 80 percent of app attacks according to the 2021 Verizon Data Breach Investigations report, should be protected by both the developer and users. Some tend to have the misconception that since web apps are not being installed on local devices, the obligation to keep them secure rests solely on the developer. However, given the growing aggressiveness of cyberattacks, it is also advisable to employ additional defenses such as web application firewalls.
It is also recommended for organizations to adopt a zero-trust policy when it comes to app security. Privileged access management and multi-factor authentication should also become a standard for all to ensure that unauthorized access to key applications is prevented.
App security is a must
As more apps are integrated into an organization’s system, it is important to pay attention to security more than ever. Apps can become tools for cybercriminals in defeating security solutions. Vulnerabilities in these applications can nullify the stringent security measures an organization has put in place.
As such, organizations must only use apps that are guaranteed to be secure. Also, it is important to realize that app security is the sole responsibility of the app providers. There are things users also need to do to protect the apps they use, especially when it comes to installing updates and having additional protection for web applications.
