Custom development can multiply vulnerabilities. Some 48 percent of developers think they leave vulnerabilities in their code, according to the State of Developer-Driven Security Survey 2022 from Secure Code Warrior.
Practices that produce vulnerable software
Organizational and development practices make software vulnerable, as does software age and evolution. But penetration (pen) testing reduces these risks.
Pen testers challenge the software, looking for every opportunity to break it with the organization’s full knowledge and permission, causing no damage. It’s better to know the truth and fix an application pre-deployment than to face the aftermath of a data breach and fix it then.
“Developers can leverage code snippets from online code repositories that speed up the development process and add functionality to their application,” said HORNE Chief Information Security Officer Brad Pierce. It’s time consuming to develop new code to enable functions and features, so when developers find code that works, it’s easier to use it than to develop their own.
“But code reuse can have unintended consequences,” Pierce said. “This borrowed code should be fully vetted to ensure it is secure. Once it’s in the codebase, and perhaps even in production, it may make the software vulnerable or unstable.”
Committing authentication secrets to open-source repositories
Developers enable open-source code to communicate with systems over the internet, adding the remote software’s capabilities without coding it into the project. The software uses secrets to authenticate on the remote system.
“Our pen testers found sensitive secret keys stored in a client’s code repository. Committing secrets such as Application Programming Interface keys and database connection strings to a web application GIT repository is bad hygiene,” Pierce said.
When developers commit those secrets to the source code, criminal hackers can connect to the remote software and systems using those secrets.
Large, complex applications and code
“A large web application can have a large codebase using complex code. The larger and more complex the application becomes, the more it warrants pen testing,” Pierce said.
Software complexity increases vulnerabilities, and as the lines of code grow, the risk of vulnerabilities grows.
Developers create spaghetti code, which is overly complex and ignores code structure and style guidance. Spaghetti code can appear frequently across large codebases, carrying vulnerabilities with it.
Waning patches and support
“If you paid a third party $1 million to develop a complex web application, and you’re managing it, is that development company servicing, supporting and patching it for you?” Pierce asked.
If not, the application becomes increasingly vulnerable to attack. It’s a common issue, and pen testing helps organizations address it.
How HORNE helps companies combat vulnerabilities
Pen testers in HORNE’s Cyber division follow industry-standard guidance to uncover the most severe vulnerabilities.
The Open Web Application Security Project updates its 10 most critical security risks to web applications each year. Numerous corporate sponsors, global organizations and the open-source development community support the work, according to OWASP.
“We use the OWASP Top 10 for web app and API testing as a framework for our testing,” Pierce said.
Broken access controls, which appear at the top of OWASP’s list, can lead to unauthorized access and data exfiltration, Pierce said.
“We tested the multifactor authentication setup for a web app not long ago. When we looked at the server response in the browser’s communication, we could remove the MFA key and get into the application. They had MFA; it just didn’t work,” Pierce said.
Since organizations use MFA to keep access secure in the face of vulnerable passwords, broken MFA is a critical risk.
According to Pierce, injection vulnerabilities, which led the OWASP Top 10 list in previous years, are still common and severe.
Pierce said that attackers look for injection vulnerabilities, which are relatively easy to find. Injection attacks enable criminal hackers to access valuable data from various databases.
A database subject to an injection attack could have personally identifiable information, such as first and last names, dates of birth, addresses and information an attacker could use to triangulate an individual’s location, Pierce said.
Some injection attacks open databases full of login credentials that attackers can use to track down other precious data.
“If an SQL Injection attack exposes usernames and passwords, the criminal hacker can check for password reuse,” Pierce said.
The more people reuse their passwords, the more systems that cybercriminals can log in to with the same credentials. Password reuse can put the rest of the organization in danger and risk breaches at other companies.
Pen testers can find vulnerabilities in SQL databases and every other common database.
HORNE pen testing reports
Pen testing reports reflect thorough, well-documented engagements.
The report is a proof of work with descriptions, examples and screenshots showing how we checked the application and how our experts exploited any vulnerabilities they found, Pierce said.
HORNE pen testers are also developers, he said.
“The language in the report is developer-centric. A client can hand it to the internal development team or a third-party development team, and they can use it to fix the vulnerabilities in the report. In 100% of the cases, the development team was able to fix the issue.”
Pierce explained, “Organizations must understand that developers develop an application to work, not break. You need someone who didn’t make it work to hack it and try to make it break.”
If your company needs help identifying and repairing application insecurities, contact HORNE today.
