AppSec Lessons Learned In 2019

3838 0

People are abuzz right now with trend predictions for 2020. It’s like putting the cart before the horse. Before we start making assumptions about what we think will happen this year, we need to take stock with what we know happened in 2019. What types of threats continued to haunt us? Have we cracked (no pun intended) the code to secure mobile apps? What are the mistakes we don’t want to repeat again in 2020? Below are the key lessons we learned in 2019 and key consideration to think about in 2020.

“Magecart” is a real threat

Magecart refers to multiple threat groups that use credit card skimming technology to infect eCommerce platforms and websites with the goal of stealing personal and financial information. Virtual credit card skimmers are inserted into a web application, often the shopping cart, and are used to steal credit cards and personal customer information to sell on the black market for the purpose of purchasing goods online  to traffic for cash and support other criminal activities.

In 2018 the Magecart groups made headlines for the high-profile mega-breaches of global brands like Ticketmaster, Forbes, British Airways and more. In 2019, Magecart-style attacks continue to succeed at breaching the websites of global companies without being detected, costing millions of dollars in fraudulent credit card charges and government penalties.

This continued threat of the Magecart groups is dangerous, especially for organizations that rely on eCommerce revenue to drive business growth. In August Arxan commissioned the research report In Plain Sight II: On the Trail of Magecart, conducted by Aite Group, which uncovered that over 80 compromised eCommerce sites globally were actively sending credit card numbers to off-site servers under the control of the Magecart groups. And this was after just 2.5 hours of initial research! 100 percent of the 80 sites discovered had no in-app protection implemented, such as tamper detection and code obfuscation; and 25 percent of the sites discovered were large, reputable brands in the motorsports industry and luxury apparel. Everyone is at risk and we need to take Magecart threats more seriously.

Your (secure) code is readable

Earlier this year, research by Aite Group examined mobile application security vulnerabilities across eight financial services sectors. It took an average of only 8.5 minutes to compromise each of the 30 apps analyzed. Nearly all of the 30 applications could easily be reverse engineered allowing access to sensitive information stored inside the source code, such as improperly stored PII, account credentials, server-side file locations, API keys, and live deployment and QA URLs used by the developers for testing the apps.

Alarmingly 97% of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering. Why was this possible? Typical controls for app security focus on ensuring that the app code passes quality and security procedures and that accounts can only be accessed by authorized users. Traditional approaches are focused on the creation of a secure ecosystem (like web application firewalls) that ensure app code and network security. The problem is neither is capable of protecting the business from app reverse engineering or directed API attacks.

Your API is exposed 

Today’s issue is we have a new(ish) endpoint — the application. Today apps provide the broadest attack surface area because they are literally everywhere, and industry analysts predict that “by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications”. In order to adopt modern application architectures, organizations increasingly rely on APIs to drive innovation, speed of development, and provide new monetization opportunities. If your app is exposed, your API is exposed. Web applications, and their APIs, are highly vulnerable, as they rely on code running in a browser that is not protected, leaving organizations defenseless and blind to increasingly common threats.

According to the Open Web Application Security Project’s (OWASP) 2019 API Security Top 10 list, “By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this, APIs have increasingly become a target for attackers.” Exposing APIs and moving business logic to the client-side of applications, outside the protection of traditional network security, creates a massive new attack surface. This increases the risk for formjacking, DOM tampering, session abuse, overlay attacks, API abuse, and more.

According to Gartner research, web-enabled applications already have 40% of their attack surface in the form of APIs instead of user interface and by 2021, APIs will account for 90% of the attack surface. Just this past summer Capital One suffered a massive API-related breach, compromising personal information for more than 100 million customers.

We learned a lot last year in application security. In order to not repeat the mistakes of 2019, it’s important to remember a few things: it’s not a matter of if an application can be attacked but when and how quickly that attack can be detected. There is no such thing as a completely secure app. Secondly, enterprises can’t control all of their data because it’s everywhere — on mobile phones, AWS cloud, S3 buckets, at-home work station, tablets, etc. IT executives need to adopt a layered approach to security, encrypting the code, implementing an API security gatework to secure the traffic, hiring a penetration tester, deploying dynamic code analysis, etc. As 2020 approaches, security leaders need to use lessons learned in 2019 and prepare themselves to continue to navigate the dynamic threat landscape in the year ahead.

1 Gartner, “API Security: What You Need to Do to Protect Your APIs”, August 28, 2019

Ken Jochims
Ken has more than 25 years of enterprise software product marketing experience in fraud prevention and IT infrastructure and financial services solutions across the Fortune 1000. Prior to Arxan, Ken worked for Neustar, ThreatMetrix, Guardian Analytics, CA Technologies, BMC, NeXT Computer and Apple.

Ken Jochims Web Site

In this article