It seems like there’s a new Cyber Security breach every other day. We hear that our personal data is compromised, that our healthcare information might be known to others and now that retail and financial application data is at a level of risk that may be even more severe than previously believed – there’s clearly a Domino Effect at work right now in Cyber Security.
It comes as no surprise to anyone well-versed in application security that a study by CAST recently found that most retail (70%) and financial services (69%) applications are vulnerable to input validation attacks. While it’s always satisfying to point out the security failings of the big IT providers, the more common issue is simply weak application software. And poor input validation is the usual culprit. The 2014 Verizon Data Breach Investigations Report (some great reading) backs up CAST’s findings when it notes that 80% of attacks on retail web apps leverage SQL Injection.
Eliminating input validation vulnerabilities is akin to getting your kids to keep their rooms clean. In theory it’s simple, and you can get it done some of the time, but you never quite achieve consistent success. Oh and it’s a headache as well. I’m amazed when someone in the business tells me how easy it will be to root out poor input coding…the first thing I want to know is how clean his kid’s room is. The facts speak for themselves: If the existing methods for catching and correcting poor input validation were effective, we wouldn’t have input validation attacks wrecking the havoc they do. Since the reality is just the opposite, it’s not too hard to conclude that for whatever reason, they do not work. The reasons could be debated, (poor technology, not enough understanding of the apps, misaligned incentives, internal politics) but not the conclusion.
Mitigating input validation vulnerabilities is one of the things Waratek’s technology does best. We don’t try to solve the problem by “fixing the code”, or putting security in the network (where you don’t have enough context to be both effective and accurate). We operate in the middle, at the JVM layer, which gives us enough context without having to touch the app code itself. We leverage capabilities native to the industry-standard JVM (“taint tracking”) which track input data and block such data from altering application logic. Taint tracking prevents code injection attacks like SQL injection by stopping malicious or malformed user input from being passed from an untrusted source such as an HTTP query string through to a SQL query to a database. And you also are able to feed this information back into the software development life cycle to improve code quality – even if you have some legacy app everyone is afraid to touch!
The latest findings are helpful, but they merely confirm what we already knew: vulnerabilities in production code will exist no matter who securely we try write applications. Left unprotected these vulnerabilities are akin to playing Cyber Security Dominoes! New approaches are needed if we’re ever going to make real progress.