14 04, 2014

Application Security: The Essentials – Insecure Direct Object References

By |April 14th, 2014|Security|

In the articles which we have already published on the topic of application security, there has been a recurring topic of proper authentication within the application. Applications are built in layers, with different degrees of access being granted to different users; depending upon whether their credentials have been correctly authenticated. Obviously the primary access to the application should be as secure as possible, with timeouts, secure password policies etc. This article will look at the need for secure references within the application.

A direct object reference is when the developer exposes a reference to an internal ‘object’ within the application. Essentially, when the code points to one of the ‘parts’ which makes up the app. These include the numerous ‘building blocks’ of applications such as specific files, database keys and internal directories. All of these are necessary aspects to make the app work properly for the end-user. The danger which you face by having Insecure Direct Object References is that an attacker can easily modify the parameter’s which have been generated in their browser to access confidential data.

For example; say you have a secure database which stores payment information for your users, this is done for their convenience and to increase their overall ease-of-use if the application is often used as a step in making financial purchases. This could also apply where customers have submitted other personal information, for you to use in providing them with a better experience. If the application uses a SQL call but the initial data is unverified (i.e. user credentials) which is then used to access this account information, attackers can exploit the insecurity in the parameter to access details from any account.

The effect which this can […]

7 04, 2014

Future trends in mobile payments

By |April 7th, 2014|Trends|

Mobile payment systems are taking root around the globe, reaching major retailers and coffee shops as well as the single-store small and mid-sized boutiques that dot the landscape.
Payments through mobile card-reader apps are currently available from 40% of small and mid-size businesses, or SMBs, according to researcher BIA Kelsey. That number is expected to rise to more than half of SMBs by the end of 2014.
The current trend of using mobile devices to read credit cards is expected to further evolve, however, removing the need for physical cards and eventually your billfold.

Mobile payment
[…]

26 03, 2014

QR Codes are everywhere

By |March 26th, 2014|Trends|

Quick Response (QR) Codes are everywhere we go. They are on adverts, in newspapers, on the backs of books and appearing on television screens. They make use of a technology which has been in existence for some time, but that until now has been more common in supermarkets than out on the street.

4eloCode - think

The barcode is a versatile and compact means of storing a great deal of information in a relatively small space. Information which can then be called up from a database and used when it is needed. Although barcodes are still in wide use for this, the advent of mobile devices which are able to use their inbuilt cameras as barcode scanners has led to an increase in the use of QR codes as a means of delivering content to end users through their internet connection.

[…]

17 03, 2014

Application Security: The Essentials – Insecure Cryptographic Storage

By |March 17th, 2014|Security|

In the past few years there has been an exponential increase in the volume of sensitive and confidential data which is being stored by applications and other software. The reason for this change has been a particular drive towards a need for immediacy and ease of use amongst consumers. In short; people now want to do things even faster and with less effort that before. This means that they are entrusting a larger amount of personal data to automated processes within software and applications.

There is also an increasing number of financial transactions are now being carried out through mobile and computer applications. Although a large number of users pay through a secure gateway such as PayPal, and many major credit card providers now have an additional layer of security which forces users to enter random characters from a pre-determined password; some applications still store payment information as a part of the service which they offer.

It seems obvious to point out the need for proper security and encryption of personal and private data, however it is not necessarily the storage of the data which causes the issue, rather it is the means through which the data is kept by the application – such that it is readily accessible when, for example, the user wishes to make a payment – that can cause more problems.

The information must be securely encrypted, but not so inaccessible that the application is unable to access it smoothly. This is a difficult balancing act which developers much reach in order to deliver a smooth experience without sacrificing the safety of the user’s data.

The important of Insecure Cryptographic Storage can be devastating; this is because access to one set […]

3 03, 2014

Application Security: The Essentials – Broken Authentication and Session Management

By |March 3rd, 2014|Security|

Modern applications frequently handle sensitive data and as such it is common practice for developers to implement varying layers of authentication to access the application. This also means that as a developer you can gather more detailed information about your users i.e. through their email address, which can be used as a marketing tool.

In essence; authentication is the security process which requires a unique username and password to be entered by the user in order to access the application in full. This means that they can personalise their experience as well as have a greater confidence in the safety of any personal data which may be used and/ or securely stored by the application.

Session management covers the processes that the application uses to keep users safe whilst they are actually using the application. A highly common example of this is session timeouts, where if the user is inactive for a given period of time, or if they lock their device, the application will log them out. This is often used by financial applications where users can carry out their personal and business banking through the use of an official application.

One of the most common causes of broken authentication is a weak password policy which enables credentials to be easily worked out by hackers. It is also possible that if your ‘Password Reset’ process, which developers prefer to automate, may not be secure enough. For example; if all pressing the ‘password reset’ button does is send a link to the users registered email address, or if the user only has to answer a pre-determined ‘secret question’ then it may be relatively easy for the account to be accessed by an outsider.

One simple way of tightening […]

14 02, 2014

Technology in 2014: Top Emerging Trends

By |February 14th, 2014|Trends|

At the start of every new year, there is always a great deal written about what industry experts and writers alike; expect to be the ‘top’ trends for that year. What will be the next big thing? Everyone tries to predict it, and few people often get it exactly right.

Technological advances such as 3-D printing and augmented reality equipment are certainly not new, but they are rapidly dropping in price. This means that they are becoming more readily available to consumers and businesses alike. 3-D Printing in particular, has existed in some form or another for almost twenty years. It is only now, that the prospect a 3-D printer in the small business setting is becoming a realistic prospect.

Augmented reality has often been seen in science fiction and whilst many of us will have grown up with the thought of being able to pull-up information in front of our eyes simply though the use of a voice command, as well as being able to make phone calls and take pictures using our watches as being some far away fantasy. The fact that in 2014 both of these are becoming possible is both an exciting and frightening prospect.

The prospect of augmented reality becoming something that you can literally carry around in the form of glasses is indicative of the increasing trend towards ‘joined-up’ technology. Rather than there being distinctive devices which all have their own specific purpose, it seems that every device can now do what every other device can.

This means that users now carry an ever-greater amount of technology with them, from tablet computers, smartphones, ultra-slim laptops all linked back to their ‘Personal Cloud’ through hyper-speed broadband and 4G Mobile Internet signal. Wherever people […]

27 01, 2014

Application Security: The Essentials – Cross Site Scripting (XSS)

By |January 27th, 2014|Security|

Cross Site Scripting, or XSS as it is also known, is when the data which is taken by an application and sent to a web browser is done so without proper validation and authentication being carried out first. It leaves the user open to attacking scripts from hackers and hijackers; the effect of this being that they can potentially hijack the user’s session and obtain a vast amount of data.

As well as this cross site scripting can also be used to redirect the user to malicious websites which then implants viruses and other invasive and damaging software on the user’s device or computer.

This brings us back to the issue which we discussed in a previous article; about the dangers of redirects and external references within an application. Whenever an application links to a web browser it immediately opens up a ‘gap’ which can potentially be used by attackers to access the user’s confidential data and information.

Although this is not an attack which has a direct impact upon your application – insofar as the attackers are not targeting the application directly – however they can have a disastrous impact upon your users. If your application has a strong business user base, or involves the processing of sensitive information, then it can have a highly negative effect upon the public image of your product.

XSS is one of the most prevalent types of attack amongst application users and developers should be very careful about building applications which rely on interpreters such as JavaScript and Microsoft Silverlight in web browsers. As ever, the most effective method of protection is prevention and by keeping as many of the applications operations within it as possible you will […]

15 01, 2014

Application Security: The Essentials – Unvalidated Redirects and Forwards

By |January 15th, 2014|Security|

In this third article on application security, we will be looking at Unvalidated Redirects and Forwards, an uncommon flaw but one which can have a damaging effect on your company’s reputation as it targets your customers rather than you directly.

A redirect or forward is when the application automatically sends the user to an external webpage through a link which has been placed in the code. If you are using a .Net Framework to build your application, a redirect is known as a transfer.

These redirects are not always external, they are on occasion built within the application – particularly where is it a browser-based app.

The danger comes when attackers change the parameters to redirect your users to unsafe and unauthorised pages. The potential damage can be severe as these fake pages can be modelled to imitate your own, genuine pages and lead users to download damaging software as well as expose their own systems to attack and infiltration.

How do I prevent a Unvalidated Redirects and Forwards?

If you can, avoid using redirects. They are prone to failure and can cause errors for users who are accessing the application or service over unsecured connections. They also open up ‘holes’ in the system through which hackers can infiltrate and change the location to which your customers are sent.
If you have to use redirects, then make sure that you regularly review your code and check that you don’t have any broken links or unvalidated redirects present. If you can, try and ensure that your application will only send customers to validated URLs and try to build in extra-layers of security to pages to which they are redirected. The harder your pages are to copy, the less […]

7 01, 2014

Application Security: The Essentials – Proper Security Configuration

By |January 7th, 2014|Security|

Welcome to our second article on application security, a guide to the essentials. In this series we are conducting an overview of the major security risks and concerns which present themselves to companies who are looking to move into the highly profitable area of application development.
In this article, we will be looking at the importance of proper security configuration within your operation.

If you run a business, however large or small, you will have strict security policies in place to protect both yourself and your customers. The premises should have a secure lock system and where appropriate a CCTV and alarm network as well. You may even employ physical guards to protect your property and data.

It is just as important that you protect your virtual property as you do your physical.

The number of levels at which an application development company operates makes it very vulnerable to attacks through a weakness in security – remember, a chain is only as strong as its weakest link. The collection of levels through an application is built and distributed is called a ‘stack’.
In a typical stack you will have a development and distribution platform, an OS which this platform runs on, a physical server where you hold documentation and run your network from, the webserver and framework from which you distribute the application as well as pushing out updates to users and of course the actual code upon which the application is built.

It is of the upmost importance that each individual aspect of your stack is correctly configured to work in perfect harmony. This can be maintained by ensuring that routine updates and security checks are carried out on each individual aspect of your infrastructure.

A misconfigured […]

18 12, 2013

How to Safely Implement BYOD

By |December 18th, 2013|Howto, Security|

The age of the Internet is coming to your employees’ pockets as the Bring Your Own Device (BYOD) trend continues to sweep across industries all over the world. Employees already use their smartphones to check email, send out company updates and schedule meetings. Allowing employees to conduct these and other company business on their smartphones, tablets, and laptops can be dangerous when left unchecked, but proper BYOD policies and software can keep your mobile operations safe.

Bring Your Own Device

There are many ways you can mitigate the risk of data loss, breaches, or even theft by managing the equipment your employees use and the agreements you have with your employees. Non-disclosure agreements and non-competitive clauses are essential for all BYOD participants because they remove incentive to take information for personal gain.

After you have your employee agreements in place, you can move on to developing the infrastructure and security that are needed to deploy a BYOD program.
[…]