Code & Data Security
Context aware application security testing, because not all vulnerabilities were created equal.
Context aware security, although not a new concept, is gaining popularity these days due to the extent of hacker attacks as well as the increasing complexity of the systems that need protecting. Neil MacDonald of Gartner describes context aware security as the use of supplemental information in order to improve security decisions at the time these decisions are made.
Context aware security is about considering the target of the attack, the context of the attack or vulnerability, when making a decision regarding the threat that was identified.
Consider the following scenario: Hackers are actively targeting two servers – let’s call them ServerA and ServerB. In both cases the hackers are attempting to gain root access to a server inside the corporate network. On first sight the two threats seem identical. Which one should the security teams handle first?
Now let’s add the following information: ServerA hosts corporate retreat plans.. ServerB hosts the prototype for the company’s next patent application. With this information we no longer have the choice of ‘do we rescue ServerA or ServerB’, the decision is now between saving the corporate retreat plans or the company’s financial future.
The research on the topic of context aware security is mostly around network level security. However, following a recent discussion with Neil MacDonald, it became clear that in application security this is no different. During a penetration test a human tester (a good one) will most likely focus on identifying and pointing out vulnerabilities that pose a threat to the application business, such as stealing a database containing confidential information. Unfortunately, most automatic code security tests do not follow this logic. An SQL Injection vulnerability is just that – an SQL Injection vulnerability.
Consider the following scenario – ApplicationA and ApplicationB both have SQL Injection vulnerabilities. The SQL Injection flaws in both these applications allow only read operations, not write or execute. Which of these vulnerabilities should the development team, with its limited resources and tight deadlines, address first?
Now let’s add the following information. ApplicationA contains a list of books offered for sale. This information is publicly accessible and the database is there to store and provide the information upon request. ApplicationB contains passwords, user PII (Personally Identifiable Information) and medical claims. The choice is no longer between solving one SQL Injection vulnerability or the other, it is now between preventing the leakage of a publicly available list of books, vs. leakage of sensitive user information including credit card numbers and other pieces of information protected by regulation. It is a much clearer choice at this point.
Most application attacks are not about defacement or taking a server offline, they are about targeting the information these applications handle. This offers the best revenue potential for attackers. For this reason it is important to perform context-aware code security testing.
Seeker is a context-aware IAST (Interactive Application Security Testing) application security testing solution. It performs run-time analysis to classify data, understand application flows and how the application handles user information. Seeker identifies information that would be of value to an attacker – either common targets like credit cards or PII, or more application specific information such as private messages between executives in the organization. Seeker then uses this knowledge to perform better vulnerability detection and to accurately assess the risk of identified vulnerabilities, providing a clear view of which vulnerabilities must be fixed first.
If an attacker can perform SQL Injection, it is weighted differently if it’s a public database, as opposed to an attacker being able to retrieve information from a table to which the application saves credit card information without encryption.
Or for example, an attacker being able to download files from the server without authorization – if it is possible to access files to which the application writes transaction information to be processed later – it immediately becomes a much more severe and immediate threat.
Context-aware security is important in order to understand what is done during testing. Without context – all vulnerabilities seem equal, and it is very difficult to figure out what really needs securing. Reality is – vulnerabilities only look equal when they are examined from the technical perspective (for example – syntax injection). However, when the context information is added it becomes very clear that not all vulnerabilities were created equal.
Security is about risk management. It is rarely possible to address each and every threat at the moment it is discovered. For this reason it is important to bring context-awareness into the security testing process, allowing organizations to prioritize from different risk levels, as opposed to prioritizing different vulnerabilities without the ability to assess the risk.
Seeker is the only security testing solution that looks at vulnerabilities in the context of user data in the application. It uses this context information to assess the real risk of vulnerabilities.
learn more about Seeker here.
This post is also available in: French