Application Hacking - the missing piece of the penetration testing jigsaw
By Diane Seddon, August 25, 2002.
IT security breaches are now a regular headline feature in the UK with a broad cross-section of organisations from brand-leaders through to public sector departments often failing to deliver secure and trusted systems. The reputational damage resulting from such incidents hits hard with loss of confidence from customers, business partners and shareholders alike. So why aren't organisations doing more by way of prevention? The fact is that they are. The DTI information Security Breaches Survey 2002 found that information security is now a top management and director level priority for 73% of UK businesses, up from only 53% in 2000. The old mentality of simply installing a firewall and anti-virus software (if anything!) is giving way to a greater understanding of security issues, and more importantly a willingness to learn, resulting in much more comprehensive investment in information security.
Evaluation of information security by an independent third party is now seen as a primary means of identifying areas of weakness in network architecture and, commonly referred to as a penetration test, it is the single biggest use of external security consultants. From global management consultancy firms through to established specialist security consultancies, penetration testing services are more readily available than ever before and their uptake by UK businesses is on the increase.
Penetration testing as a service is as complex as it is diverse and a growing area of concern is the largely unaddressed aspect of Application Security. In this context, the application can be defined as any bespoke system developed for the organisation - be it a fully fledged desktop program, interactive web service or simply a customised CRM or document presentation system. Typically, these applications will be found on networks which can be accessed in some way by external users, be they business partners or the general public.
"There has been a marked shift from static web-sites (brochureware) to interactive services offered over private links and public media such as the Internet. These bespoke applications expose a number of new security vulnerabilities, often unique to the particular site or implementation", comments Glyn Geoghegan, Principal Security Consultant at Corsaire.
Online shopping facilities, banking, bill payment and subscription sign-ups are all examples of applications which have been developed to authenticate the user and allow restricted access to a searchable database, running alongside and connecting to shrink-wrapped commercial software. Web and other applications such as these are frequently found to be inadequately designed, implemented and secured, exposing the organisation to unnecessary risk. Even when deployed in an environment where the underlying servers, firewalls and security systems are correctly secured and configured, the application by definition interacts with back end systems and can therefore expose them to attack. This may simply be through sensitive data travelled unencrypted across the Internet, or through sophisticated attacks through the user or data interfaces.
"Attacks such as SQL insertion may pass straight through the user web-interface, application servers and issues commands directly to the back end database, stealing, modifying or deleting vital data" continues Geoghegan.
Many penetration testing methodologies involve checking for known vulnerabilities in network hosts and services and do not test for flaws in the bespoke applications themselves.
Application software may be susceptible to several forms of attack which can differ from vulnerabilities in the supporting environment, primarily because they request and collect external user input. Buffer overflow attacks are amongst the most common, where data input is collected at the user interface to be passed to memory buffers. If the data packet is too large and passes through unchecked this could cause denial of service or worse still the attacker may include code, seizing control of a back-end host. Also, where the user is required to enter information it is relatively easy for an attacker to supply incorrect data or invalid data formats, for example changing the prices on online shopping sites or assuming the identity of another user to conduct fraudulent web transactions. In some cases the application may require access to specific files or resources and if access controls are not properly implemented and secured, an attacker may be able to view other sensitive files or data stored on the network.
Many of the high-profile examples reported in the press are not simply security breaches but are application security breaches. Worryingly many do not even come to light as the result of an attack but through errors during 'normal' use of the application. The recent Inland Revenue fiasco where users were able to view other people's data on the site when filing their tax returns escaped the attention of few in the UK and last week in the Netherlands a user attempted to cancel his subscription to Internet service provider Caesma, only to receive hundreds of people's bank details instead.
Many of the flaws which have led to incidents such as these are introduced to the application early in the design process and the vast majority are entirely preventable. For companies designing their own applications or commissioning software development houses, the most cost effective way of following best practice is through testing and peer review. Ideally, this should occur at every stage of the development process, from design through to implementation alongside commercial software on the network. The primary focus of most developers is to ensure the correct functionality and reliability is delivered to timescales, so a third party view on security in each phase is vital. Application testing should be undertaken again once the application is operational in a live environment.
In short, traditional infrastructure penetration testing services are still of great value to companies but it is imperative that the scope of the project is understood and communicated through close liaison between all parties involved. It is only by understanding different penetration testing methodologies such as application testing that an organisation can assess if its security and business requirements have been met and that risk can be truly managed and minimised.
