HP has released their latest Cyber Risk Report 2013 and it’s worth taking a look at. While the report states that the overall number of high-risk attacks has diminished somewhat in the past year and that mobile vulnerabilities might not be as dire as some experts have reported, it also shows that there is are serious risks in the areas of hybrid application development, Java, and supervisory control and data acquisition (SCADA) systems.
We won’t try to summarize the entire 48 page report here (you can download the entire report or the executive summary here) but there were a few interesting tid-bits we thought were worth mentioning.
If you have followed the cyber security space for any length of time it seems that software developers just never learn. As the HP Cyber Risk Report 2013 found the primary methods that hackers use to gain access to systems are the same methods used for nearly 15 years – SQL injection attacks, improper or overly extensive permissions, weak or even no encryption, improperly configured servers, and cross-site scripting are still the most common weaknesses. You would think every programmer in the world would know how to avoid these issues by now. But the report does point out that the tools programmers use may actually promote some of these bad programming habits.
The report looked at three hybrid programming platforms; PhoneGap, Titanium, and Xamarin and found that each of them had inherent shortfalls that either encouraged poor programming practices or forced the developer to rely on third-party plug-ins (which may or may not be secure). This held true over both iOS and Android platforms.
All three platforms had weaknesses that forced the programmer to actively find work around to problems such as avoiding insecure SSL configuration issues, insecure database access, insecure certificate verification, granting excessive permissions, allowing unrestricted cross-domain communication, or using weak (sometimes no) encryption. Programmers would have to know about these issues and go to extra lengths to avoid them (usually though using third-party plug-ins).
The HP report suggests that hybrid programming platform providers should work toward closing these gaps by making security the default rather than an option.
Another area that the report focuses on are the many Java vulnerabilities. They even go so far as to suggest it might be a good idea for enterprises to start phasing out any applications that rely on Java unless it is absolutely necessary.
One last point we found interesting in the HP report was their finding that vulnerability experts themselves may be driving the perception that one or another platform, application, or system is less secure than another. They contend that security experts tend to focus their attentions on high-profile applications (such as Internet Explorer) or systems (such as SCADA) and therefore find more security issues in those areas. HP points out that just because there are more issues reported with one application does not necessarily mean it is less secure than another, it just means it got more attention from the experts.
The HP Cyber Risk Report 2013 is well worth reading if you are developing mobile, hybrid, or just about any application.
