This article originally appeared in Journal of Cyber Policy on July 3, 2019.
When you browse a web page or start up a mobile app, do you really know about the code you’re letting onto your device? The interface and user experience may be seamless, but the underlying construction is anything but. Apps and websites contain code from many third parties, not all of whom are well known or understood by the developers.
If this seems like an abstraction, perhaps putting the concept in physical terms will help you visualize what’s happening on your phone or PC. Consider the following the next time you fly: The airplane is not made by one company. Each major component comes from a different manufacturer. The Boeing 787, for example, has wings made by Mitsubishi in Japan and a fuselage whose sections are built separately by Boeing, Wichita’s Spirit AeroSystems and Italy’s Alenia. The doors are made in France, the engines in the UK. The machine flies beautifully, but like most smooth-functioning apps, it’s an assemblage of pieces made elsewhere.
Security risks follow this model. As the volume of apps and websites increases, and their scope of functionality expands, vulnerabilities grow exponentially. Application security practices are now catching up. Vendors like The Media Trust and Contrast Security have made app sec their main focus.
Media Trust: Staying on Top of Unmanaged Third-Party Code
The Media Trust offers solutions that deal with the risks of third-party code in apps and website. Opening a web page typically allows a torrent of code into your browser that lacks a clear provenance. You might be on a site for a well-known retailer, for example, but up to 90% of the actual code coming from the page is not developed by that company.
These threats may just cause low-grade problems like planting unwanted cookies. However, at other times, there can be serious malware in the works. Full-blown cyber attacks can originate in seemingly innocuous web pages. Examples include 3ve, a combination of bots and fake websites that perpetrate advertising fraud and Magecart, which surreptitiously injected credit-card skimming code into websites like BritishAirways.com.
As Chris Olson, CEO of The Media Trust, explains, it is possible to mitigate third-party code risks. “You have to inspect the code that’s coming into your site or app,” he said. “This may sound obvious, but we constantly see otherwise smart organizations that neglect this basic countermeasure. They’re exposing themselves, and their customers, to preventable attacks.” The Media Trust’s solution monitors and controls website and mobile app code that comes from third-party vendors.
It is able to unearth malicious code, with even the ability to detect when third-parties have been compromised. “Indeed, many third-parties don’t realize that they themselves have become inadvertent vectors of attack. A malicious actor has taken over their code. We can interrupt this process,” Olson added.
Contrast: Securing the App from the Inside
Jeff Williams, CTO and co-founder of Contrast Security, knows there are malicious elements in your app code. The problem, from his perspective, is that most AppSec are looking in the wrong places. “Most solutions are inspecting code libraries or using firewalls to stop attacks based on code,” he said. “This was a satisfactory defense for a long time, but no more.” In his view, the rise of DevOps and accelerated coding and deploying practices like Continuous Integration (CI) have rendered these approaches deficient.
“Looking from the outside in is not a workable way to prevent corruption of code,” he added. “Things are just moving way too fast for that now. We’re writing way too much code. Take your average large financial firm. They might have over ten thousand apps. A bank is really a software company, in essence. It isn’t possible to scan all the open source code they use and keep up with the pace of development.”
Instead, the Contrast approach is to work in the opposite direction. “We secure the code from the inside out,” Williams shared. “We rely on the software instrumentation. As the app starts, our solution weaves in sensors into security-relevant code. It’s like bank security cameras—you want them inside the bank, not out on the street.”
From this inside vantage point, Contrast can spot vulnerabilities continuously, even as the code base is updated in the DevOps cycle. The solution is then able to issue alerts to JIRA, Jenkins, Slack and so forth. “Developers get the alerts and treat them like bug fixes,” Williams added. “This way, you can securely scale your dev operations.”