The past year witnessed some of the biggest data breaches of all time and the rapid proliferation of APIs have created new challenges in approaching the security landscape as a developer.
“The fallout from not integrating security early in the development lifecycle has never been more apparent,” the 2019 State of Software Security report stated.
The report found that 2 in 3 apps fail to pass initial tests based on the OWASP Top 10 and SANS 25 industry standards. The report also found that 76% of high severity flaws are addressed by developers, and that only 56% of software flaws eventually get fixed. The average time it takes to fix flaws today is 171 days, compared to 59 days 10 years ago.
Therefore, to cast light on some of the biggest issues plaguing development, DeepCode recently revealed the most important bugs as well as the top security vulnerabilities.
The analysis came from the company’s AI-powered code review tool, which analyzed hundreds of thousands of open-source projects to narrow down the vulnerabilities that happen with the most frequency.
According to the analysis, file I/O corruptions are the biggest general issue while missing input data sanitization is the top security vulnerability.
“The problems that come up are pretty serious in file corruption, which can lead to data loss or unusable data being being processed and an application crashing the cause of it,” Boris Paskalev, the Co-Founder and CEO of DeepCode, a platform that learns from open source programmers and uses the acquired knowledge to make suggestions on how code can be improved. “But even worse, one can actually end up using corrupted data without knowing and the application just keeps it working such as in sectors like aeronautics and driving cars, which could be detrimental or dangerous.”
He alluded to the catastrophic consequences that faulty code can have. For example in the 1996 Ariane 5 rocket incident, the rocket exploded just 40-seconds after lift-off, annihilating $500 million in an instant. It turned out that the cause of the failure was a software error in the inertial reference system.
Paskalev explained that many of the current vulnerabilities are occurring because software has become drastically more complex due to the large amounts of libraries being used. In addition, there are more hackers now trying to exploit these vulnerabilities. He added that the list of vulnerabilities is not exhaustive and developers should look into ones that are tailored to their type of application.
“The hard part is that not all developers are trained or have the time to actually search for [the vulnerabilities] and a lot of them are really tricky,” Paskalev said. “Even during a normal code review, you can oftentimes miss some of them and the main reason is you might not necessarily be looking for this specific thing.”
However, Paskalev said the list is not exhaustive and developers should be checking with multiple sources to make sure they are catching all of their vulnerabilities for their type of application.
“As developers enter a new year and decade, we want them to be aware of the most important coding problems for 2020 and beyond,” said Paskalev. “With DeepCode by their side, they’ll be able to make sure that these issues and countless others don’t affect their software.”
According to DeepCode, the most important bugs include:
- File I/O corruptions
- API contract violations
- Null references
- Process/threading deadlock problems
- Incorrect type checking
- Expression logic mistakes
- Regular expression mistakes
- Invalid time/date formatting
- Resource leaks
- Portability limitations
The most important security vulnerabilities include:
- Missing input data sanitization
- Insecure password handling
- Protocol insecurities
- Indefensive permissions
- Man-in-the-Middle attacks
- Weak cryptography algorithms
- Lack of information hiding
OWASP API Security Top 10
A Gartner report suggested that by 2022, API abuses will be the vector most responsible for data breaches within enterprise web applications.
In response to this growing trend, OWASP has officially published an API Security Top Ten list on GitHub, providing software developers around the world with insights into the most common security pitfalls to avoid when programming using an API.
“API implementation use cases continue to expand at a rapid pace, and malicious actors have identified them as a new target that hasn’t been widely exploited, or secured, yet. Given this increased focus on APIs, we advise developers to read and learn to better safeguard the applications and software they develop,” said Erez Yalon, the director of research at CheckMarx, who served as a co-lead on the project and believes that increasing awareness around the common errors outlined in the list is essential to widespread improvement in application security.
The report found that the top vulnerability is broken object level authorization, which tends to expose endpoints that handle object identifiers, creating a wide attack surface. The report suggested that authorization checks be considered in every function that accesses a data source using an input from the user.
The second biggest vulnerability is broken user authentication, which occurs because authentication mechanisms are often implemented incorrectly, which allows attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently, according to the report.
While the top two relate to errors in authorization, the third highest vulnerability is excessive data exposure. The report said this is because developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
The suggestions to prevent this issue are to review the responses from the API to make sure they contain only legitimate data. It suggested avoiding using generic methods such as to_json() and to_string(), and to instead, “cherry-pick specific properties that you really want in return.”
These vulnerabilities are followed by lack of resources and rate limiting at number 3 since APIs don’t impose any restrictions on the size or numbers of resources that can be requested by the end user.
Yalon explained that developers should keep in mind that the list is not exhaustive, but rather an awareness document or a snapshot of the current, top API vulnerabilities.
Reading and understanding the risks outlined in the list should help developers significantly level-up the security of their API implementations (and their applications as a result). There is no substitute for ongoing vigilance and proactive defense against constantly evolving attacks when it comes to secure coding, according to Yalon.
While the concepts of API security are relatively new, Yalon said that the attacks that can be performed through them are not.
“Many organizations have been experiencing similar threats targeting their networks and Internet-facing applications for years, and now they must turn an equal focus on mobile apps, APIs, and back-end servers,” Erez Yalon said. “Speaking to the fact that there is already some awareness around these issues on the part of organizations, we do know that a number of businesses are already using the OWASP list, and that the need was so great that many began using it even while it was still in the drafting stage.”
However, while some organizations have begun to understand the risks associated with APIs and are making strides toward improving security, there is a gap existing between awareness and action, according to Yalon.
“It’s important to note that the list we’ve assembled does not just outline the top API vulnerabilities, it also provides example attack scenarios and recommendations for mitigating these threats,” Yalon said. “Those that take the time to read through our extensive guide will certainly be in a better position to defend against API-related issues.
While these types of attacks aren’t going anywhere, developers and organizations can mitigate their risk from API implementation as attackers set their sights on this emerging target, Yalon added.
The top 10 OWASP API security vulnerabilities are:
- Broken Object Level Authorization
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
Meanwhile, the Chertoff Group, a company that provides industry insights around security technology, global threats, strategy and public policy, unveiled their list of security trends for 2020.
The top trend was that ICT supply chain risks are staying in the spotlight as significant new regulatory authorities come online.
“Malicious actors are increasingly poisoning the software supply chain as means of gaining initial access and persistence within victim companies, and their customers,” the Chertoff group wrote in their report. “As software applications grow more dynamic and companies become increasingly dependent on a dizzying ecosystem of software libraries, tools and distribution mechanisms, risk exposure expands.”
The report also found that there is increasing customer and business partner demand for better measures of cybersecurity effectiveness.
There are multiple initiatives to improve the security of software, including the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) process in 2020, which will seek to link inherent risk to expectations for more advanced levels of security capability, the report said.
Other initiatives include the Framework for Secure Software in 2019 launched by the Business Software Alliance, and MITRE’s launch of the Center for Threat Informed Defense (CTID) as non-commercial, non-profit focal point to sustain and accelerate the evolution of publicly available resources critical to cyber defenses.
The report stated that the interest in global cyber norms will grow.
“As cyber attacks become increasingly disruptive, there is growing interest in establishing a core set of norms to guide responsible state and non-state behavior in cyberspace,” the report said.