How companies combat software insecurities

In most companies, developers are focused on meeting project deadlines, and that often leads to applications that are insecurely coded.

Custom development can multiply vulnerabilities. Some 48 percent of developers think they leave vulnerabilities in their code, according to the State of Developer-Driven Security Survey 2022 from Secure Code Warrior.

Practices that produce vulnerable software

Organizational and development practices make software vulnerable, as does software age and evolution. But penetration (pen) testing reduces these risks.

Pen testers challenge the software, looking for every opportunity to break it with the organization’s full knowledge and permission, causing no damage. It’s better to know the truth and fix an application pre-deployment than to face the aftermath of a data breach and fix it then.

Developers can leverage code snippets from online code repositories that speed up the development process and add functionality to their application,” said HORNE Chief Information Security Officer Brad Pierce. It’s time consuming to develop new code to enable functions and features, so when developers find code that works, it’s easier to use it than to develop their own.

“But code reuse can have unintended consequences,” Pierce said. “This borrowed code should be fully vetted to ensure it is secure. Once it’s in the codebase, and perhaps even in production, it may make the software vulnerable or unstable.”

Committing authentication secrets to open-source repositories

Developers enable open-source code to communicate with systems over the internet, adding the remote software’s capabilities without coding it into the project. The software uses secrets to authenticate on the remote system.

“Our pen testers found sensitive secret keys stored in a client’s code repository. Committing secrets such as Application Programming Interface keys and database connection strings to a web application GIT repository is bad hygiene,” Pierce said.

When developers commit those secrets to the source code, criminal hackers can connect to the remote software and systems using those secrets.

Large, complex applications and code

“A large web application can have a large codebase using complex code. The larger and more complex the application becomes, the more it warrants pen testing,” Pierce said.

Software complexity increases vulnerabilities, and as the lines of code grow, the risk of vulnerabilities grows.

Developers create spaghetti code, which is overly complex and ignores code structure and style guidance. Spaghetti code can appear frequently across large codebases, carrying vulnerabilities with it.

Waning patches and support

“If you paid a third party $1 million to develop a complex web application, and you’re managing it, is that development company servicing, supporting and patching it for you?” Pierce asked.

If not, the application becomes increasingly vulnerable to attack. It’s a common issue, and pen testing helps organizations address it.

How HORNE helps companies combat vulnerabilities

Pen testers in HORNE’s Cyber division follow industry-standard guidance to uncover the most severe vulnerabilities.

The Open Web Application Security Project updates its 10 most critical security risks to web applications each year. Numerous corporate sponsors, global organizations and the open-source development community support the work, according to OWASP.

“We use the OWASP Top 10 for web app and API testing as a framework for our testing,” Pierce said.

Broken access controls, which appear at the top of OWASP’s list, can lead to unauthorized access and data exfiltration, Pierce said.

“We tested the multifactor authentication setup for a web app not long ago. When we looked at the server response in the browser’s communication, we could remove the MFA key and get into the application. They had MFA; it just didn’t work,” Pierce said.

Since organizations use MFA to keep access secure in the face of vulnerable passwords, broken MFA is a critical risk.

According to Pierce, injection vulnerabilities, which led the OWASP Top 10 list in previous years, are still common and severe.

Pierce said that attackers look for injection vulnerabilities, which are relatively easy to find. Injection attacks enable criminal hackers to access valuable data from various databases.

A database subject to an injection attack could have personally identifiable information, such as first and last names, dates of birth, addresses and information an attacker could use to triangulate an individual’s location, Pierce said.

Some injection attacks open databases full of login credentials that attackers can use to track down other precious data.

“If an SQL Injection attack exposes usernames and passwords, the criminal hacker can check for password reuse,” Pierce said.

The more people reuse their passwords, the more systems that cybercriminals can log in to with the same credentials. Password reuse can put the rest of the organization in danger and risk breaches at other companies.

Pen testers can find vulnerabilities in SQL databases and every other common database.

HORNE pen testing reports

Pen testing reports reflect thorough, well-documented engagements.

The report is a proof of work with descriptions, examples and screenshots showing how we checked the application and how our experts exploited any vulnerabilities they found, Pierce said.

HORNE pen testers are also developers, he said.

“The language in the report is developer-centric. A client can hand it to the internal development team or a third-party development team, and they can use it to fix the vulnerabilities in the report. In 100% of the cases, the development team was able to fix the issue.”

Pierce explained, “Organizations must understand that developers develop an application to work, not break. You need someone who didn’t make it work to hack it and try to make it break.”

If your company needs help identifying and repairing application insecurities, contact HORNE today.

READ MORE OF OUR LATEST INSIGHTS

SEE AROUND CORNERS.
INDUSTRY EXPERTISE DELIVERED.

More Insights

Six things you need to know about Google Analytics 4

Google Analytics 4 is the next generation of Google Analytics. This is not simply a new version; it’s a new way to track and present data....

READ MORE

Tips to get the most out of Google’s Helpful Content Update

Change is coming faster than ever. Every week, I search for the meaning of some new acronym that impacts our business processes. As someone who...

READ MORE

Bridging the Gap: Capturing knowledge before it walks out the door

By 2030, all baby boomers will be 65 or older. Not to mention that many Gen Xers — or those born between 1965 and 1980 — are now in their 50s....

READ MORE

Healthcare leaders need to be ‘aggressively urgent’

The healthcare industry is in a state of emergency today. In an industry where change notoriously happens gradually at best, leaders should change to...

READ MORE

How companies combat software insecurities

In most companies, developers are focused on meeting project deadlines, and that often leads to applications that are insecurely coded. Custom...

READ MORE

Web applications remain biggest threat to cybersecurity

One of the biggest threats facing organizations related to cybersecurity involves web application security. Organizations continue to use...

READ MORE

Talk to an expert today.