In a fast-paced tech environment, the potential attack surface increases with each release. Tech companies can no longer only safeguard themselves with a firewall alone and network monitoring. Web applications are the new perimeter that security warriors are tasked with protecting as they can introduce new entry points into the company infrastructure. We look at how you can reduce attack surfaces.
What is the attack surface?
The attack surface refers to the available points at which an unauthorized user could penetrate and execute actions to steal or alter data from a compromised system. Since the tech industry is in an age where there are many SaaS services and products, the digital attack surface is more than the firewall and network. It is now a sum of the available entry points consisting of the different web applications that are publicly accessible on the Internet – intentionally and unintentionally. The increased attack surface gives attackers more opportunities to find weaknesses to get in. With many teams focusing on agile working or following CI/CD best practices, it is not uncommon to see business delivery take priority over business security.
Known components in the attack surface:
Known components are ones you are aware of from the start and that you monitor with extra care. These include the multiple subdomains under the domain, security checking apache installations, watching the main application, and login interfaces. Here you may be expecting DoS attempts and XSS exploits.
Unknown components in the attack surface:
There will also always be unknown components that bring in weaknesses into the attack surface. With a growing business, these things can be harder to catch without the right processes and tools. These occur when mistakes are made in the code, rogue or shadow IT software is installed, or the supply chain is insecure. There are also occasions where new vulnerabilities come up in existing code which come from a pentester or ethical hacker’s pure creativity and looking where others aren’t.
1. Keep an inventory of company web applications
The best place to begin is knowing what you already have out there. How big is the area really that you need to cover? Where is the attack surface likely to expand?
We’ve already covered what it means to have known and unknown components; these are equally important to find, mitigate if needed, and monitor. Most organizations begin with a plan to protect the known assets. This would be everything you detail in your tech stack with a mapping of these assets, system owners, and threat models.
For unknown components, a proactive approach to security is needed because you may not know if a bad actor is already exploiting things. These may be introduced internally – a mistake in code or a new web application created to meet the latest company KPIs, or in a worse case, they could be rogue and externally added. From there, you can get a sense of how large the attack surface is, where the weaknesses lie and make plans to reduce the potential attack surface.
Detectify Asset Monitoring will help you analyze your attack surface to see which kind of assets are publicly viewable on the Internet and could be taken over with automated hacking methods such as taking over forgotten subdomains.
Identify all that’s in your tech stack
Technologies come and go, and with that comes vulnerability classes that could make your stack more attractive to test and attack. For example, your favorite marketing team procured a new lead generation tool that would help them better engage visitors to the main website. Still, it requires third-party JavaScript to be added. Sometimes you’ll have a chance to approve it beforehand, but if this doesn’t happen, you’ll need to add it to the list of things to be monitored and build security testing for.
In a fast-paced working culture, it’s not uncommon for rouge installations to go under the radar. Rogue or Shadow IT comes in because not everyone will want to follow the compliance rules or guidelines set, or they are unaware of all the procedures in place. You know that saying, “ask for forgiveness rather than permission?” And when that happens, you need an overview of what’s happening in each asset’s tech stack. Not every rouge implementation will result in something harmful. Stay on top of what’s happening and take action when something looks suspicious or open a new entry point in the attack surface.
Discover assets and technologies like a hacker would
Hackers can build their own asset discovery tools or run existing ones such as Shodan or BuiltWith to discover assets and technologies in their recon activities. These hacker tools can also come in handy for the Blue Team as it provides an external view of the public-facing owned assets. But wait, you have to think like a hacker as well and look beyond your main applications.
Every organization spends a lot of money and resources securing the main application. What about all the other connected assets such as apps acquired from mergers, or temporary campaigns that bring in third-party technologies or new subdomains to manage? It can quickly become overwhelming, so keeping track of all your web assets and the tech stacks will make it easier for prioritization.
Build security checks into the development lifecycle
More and more teams are practicing DevSecOps, which means checking for vulnerabilities in the code is part of the development cycle. Smartbear is a great example of a SaaS company who’s doing this. Bugs identified are relayed back to developers right away for remediation in the next iteration.
Working with DevSecOps means that developers are empowered to patch security bugs as they are alerted. A security-savvy developer may be able to find information online in CVE libraries like MITRE or trusted blogs, but not everyone will be a security expert. For those who aren’t, security know-how can be acquired through remediation tips and tricks from internal training, security tools like Detectify, pentest reports, and vulnerability disclosures from ethical hackers.
Once you begin to find recurring issues, you can build your own tests for detection automation. This would be common attack vectors or repeated code mistakes that the automation would detect to prevent regression. This is a resource-heavy manual process that requires you to have a library of research and knowledge.
Outsourcing the test collection and proof-of-concept detailing can help you get started, primarily when security companies have dedicated teams to research and curate this public and specialist information. SaaS-based automated web security scanners like Detectify have access to a testbed with the latest vulnerability research and all without the need for manual updates. In particular, Detectify relies on collaboration with ethical hackers to crowdsource vulnerabilities actively exploited in the wild to help users stay on top of threats.
Keep software up-to-date
Yes, those pesky software update reminders exist for a good reason. Besides performance bugs or new UIs, updates often also patch security bugs found by ethical hackers. Failing to update software is actually something malicious actors know is a sure bet for a breach.
Hackers, good and bad, know that there are instances of outdated and vulnerable versions of web technologies being used, such as Apache Struts and WordPress. This could be for various reasons; concerns over new bugs in the update or resistance to the change in the design of something new. Whatever it may be, if you are holding back and using an older version of the software, you risk bringing in detrimental vulnerabilities. Equifax is an infamous example of this where a 2-month old bug led to one of the most significant data breaches in modern history.
On top of keeping things updated, maintaining strict user access rights and add layers of security as much as possible will go along way. Google and Microsoft reported separately that the an additional layer to username and password prevented nearly 100% of automated attacks using account login. Everyone in your organization can contribute to security and reduce the possibility of getting past the first lines of security on your attack surface.
Even if you are very secure further in your application layer, it won’t matter if your front line lets them in. Even small vulnerabilities can be escalated into something crippling.
Do sweat the small vulnerability stuff
Taking care of low severities can reduce the potential for an attack to be escalated further into the system like an RCE. For example, open redirects are easily overlooked. A creative hacker will not stop at finding this and exploit it further, such as this discovery of CVE-2020-1323 by a Detectify Crowdsource ethical hacker. Mitigating something seemingly harmless like an open redirect is a way you can reduce your attack surface, make a safer experience for everyone, and save everyone a bit of time.
Alfred, Security Researcher at Detectify, explains:
“An example of where low severity vulnerabilities like open redirects or reflected Cross Site Scripting (XSS) attacks that are not normally exploitable in up to date browsers are made into more severe vulnerabilities is James Kettles’s research that he presented at BlackHat 2020. In this research he found ways to get the responses from these vulnerabilities cached so they were served to other users.”
Conclusion:
The attack surface can widen, and the goal is to reduce this, but we don’t diminish this by producing less, releasing less and writing less code. That just isn’t an option for innovation and business survival, so we need to adapt. The way to do this is to have a different approach to security integration into development cycles, software inventory maintenance and information security awareness.. Today the attack surface may begin on the web interface, and many hackers won’t stop at the firewall.
How can Detectify help?
Reduce your attack surface with the help of Detectify and check for security throughout your SDLC. We check for 2000+ vulnerabilities that cover the OWASP Top 10 to help you and your developers prioritize security issues in your web applications. Sign up for your free 14-day trial.