According to the analyst firm Gartner, “Over 70 percent of security vulnerabilities exist at the application layer, not the network layer.” This number was even higher in findings by the National Institute of Standards and Technology (NIST), which found that “…92 percent of reported vulnerabilities are in applications not in networks.”
These statistics show that increasing the security of applications is essential for decreasing cyber risk. Application-layer and software vulnerabilities have served as the entrance points for malicious actors in multiple notable security breaches against government agencies and critical infrastructure. A poignant and painful recent example is the 2020 SolarWinds attack, which impacted as many as ten different government agencies, including the Departments of Commerce and the Treasury, and directly resulted from vulnerabilities in a network management software application.
While it’s evident that software and application vulnerabilities are a significant cyber risk across enterprises, the changing nature of software and applications is making that risk larger and more complex by the day.
Today’s application development teams are under pressure to develop software at an incredibly rapid pace to keep up with the speed of innovation. Simultaneously, the adoption of microservices and new architectures and platforms – such as containers and the platforms necessary to manage and orchestrate containers – has given these teams the tools they need to develop and deploy software updates and patches on accelerated schedules.
While accelerated updates and patches also accelerate identified vulnerability remediation in software and applications, it also can breed more vulnerabilities as development teams speed through the software development lifecycle (SDLC) to add new features and capabilities to their solutions. Containers can also add to security concerns as they are often created independently and tend to pile up, creating a security and management concern that is becoming known as “container sprawl.”
Together, this increased complexity and the larger ecosystem of endpoints that access applications are making it harder to keep track of, manage, and patch applications. Therefore, while it’s more crucial to update and patch applications than ever before – it’s also significantly more challenging to do so. Worse, two major changes in software structure and the infrastructure on which it’s deployed are creating a new set of security vulnerabilities that were never concerns in the past.
The new AppSec challenge – Infrastructure as Code
In the past, applications were developed and deployed on hardware that was most likely on-premise. The rise of the cloud and the emergence of cloud-native technologies, containerization and container orchestration solutions marked a new software development era. Today, not all applications are managed on a single server – or even a group of servers. Instead, they’re deployed across several containers that are created by the development team independently.
The infrastructure that runs these containerized applications consists of private clouds or public cloud resources, such as those made available by one of the large cloud solution providers, including Amazon Web Services (AWS), Google Cloud, Microsoft’s Azure, and several other providers.
The infrastructure needed to run those applications is no longer defined and configured by an organization’s IT department in a physical data center. In most cases, it is provisioned in the cloud – defined and managed by software. The rise of the cloud also gave rise to the concept of “self-service,” which often involves development teams provisioning, defining, and configuring their own cloud infrastructure. Together, these technology changes and trends have given rise to Infrastructure as Code (IaC), which is another term for the automation of the deployment of infrastructure in modern, dynamic environments – such as public, private, and hybrid clouds.
IaC empowers application development teams to utilize scripting code that functionally sets up the network necessary to host and run their applications. Teams repeatedly leverage and share scripting code created by application developers who are not experts in provisioning and configuring secure networks. But what happens when a script configures the infrastructure and cloud resources in an unsecured way? When a malicious actor identifies a script vulnerability, they will indeed look for it in the IaC across the entire organization or industry. Furthermore, if previous experience tells us anything, zero-day vulnerabilities are weaponized and spread quickly among malicious actors.
Unfortunately, IaC is just one of the two new cyber risks facing organizations due to changing software development technologies and trends.
The other new AppSec challenge – APIs
Today’s cloud-native applications are no longer monolithic juggernauts of code that take years upon years to create and additional years to update and patch. Today’s applications are a combination of smaller parts known as microservices – small applications responsible for specific jobs, functions, or capabilities.
While all of these microservices have distinct functions and capabilities, they all need to talk to each other and interact to complete the entire task. The code that allows these microservices to interact and connects them is known as an API. And these APIs have rapidly become the backbone of modern applications. Unfortunately, with organizations leveraging more APIs to connect these microservices for complex functions, they’re also creating a new security vector.
According to the Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software, “By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers.” Noting that innovation would be impossible without secure APIs, OWASP has aggregated a top ten list of API vulnerabilities. This top ten list includes a number of known software attacks and vulnerabilities, including injection and authentication flaws. However, it also contains several vulnerabilities that are either unique to APIs or exacerbated by APIs’ access and exposure to PII.
The State of API Security annual report released by SALT found that approximately 90 percent of respondents claimed to have experienced an API security incident in the previous year. The report also found that 66 percent of respondents delayed the launch of an application due to an API security concern. As APIs become increasingly essential in key software and applications, they also become an increasingly large cyber risk. If ignored, bad actors could hack them to shut down.
With software taking an outsized role across all sectors and enterprises, developers moving faster to create applications at the speed of innovation, software vulnerabilities among the most exploited in cyberattacks, and two new vectors in the form of IaC and APIs, it may seem like securing critical infrastructure is near impossible. However, organizations can leverage certain technologies in the application development process to make applications more secure. There are also new approaches to application development that help teams deploy software quickly without sacrificing security.
In my next article on the GovDevSecOpsHub, I’ll look at the tools and techniques available to development teams that can help them overcome these challenges and develop more secure software.
For additional information on the new attack vectors – APIs and IaC – click HERE to watch an on-demand version of the ICIT Webinar, “The Newest Attack Vectors – Infrastructure as Code & API Security Virtual Briefing.”