Eight security takeaways

For the past few years Hewlett-Packard has issued an annual Cyber Risk report to provide security information to organizations to understand the vulnerability landscape and how best deploy resources to minimize security risk. Here are some top takeaways from its latest findings. All images from Shutterstock.com.

It’s partly your fault
80 per cent of applications contain vulnerabilities exposed by incorrect configuration

While we often hear about vulnerabilities that arise due to bugs in an application’s code, an analysis of 2,200 applications found many were related to server misconfiguration, improper file settings, sample content, outdated software versions, and other items related to insecure deployment. Don’t overlook this security gap. Dedicate resources to auditing software for misconfiguration as well as for more expected forms of vulnerability.


Say no to Java

In the past year Java’s security has been questioned. HP found that sandbox bypass vulnerabilities caused by unsafe reflection are the most prolific issue, and sandbox bypass due to type confusion is the most exploited. Attackers are significantly escalating their exploitation of Java by simultaneously targeting multiple CVEs and using Java more often to successfully compromise victims’ computers. Organizations should seriously consider reducing their attack surface by eliminating Java from environments where it is not required.


Mind your cookies

Of the top half of all software problems looked at 52 per cent were from insecure cookies, including not setting the HTTPOnly attribute; 51 per cent leaked system information; 49 per cent had access control vulnerabilities to files and directories; and 40 per cent had cross site scripting problems.


Less is better

An examination of over 500,000 Android apps showed turned up major discrepancies between how Google and different antivirus companies judge the behavior and intent of mobile apps. Limiting the number of apps available within an organization, monitoring approved apps, and thoroughly vetting EULAs are the absolute baseline for responsible defense.


Mobile developers fail #1:

46 per cent of mobile 180 iOS and Android applications tested use encryption improperly. Missing or misused cryptographic APIs made for a common occurrence in our analysis of encryption-related vulnerabilities. The statistics indicate that the developers either completely miss encryption before storing sensitive information on device or often rely on weak algorithms. Also 41 per cent of the encryption-related issues resulted from unencrypted transfer of sensitive information.

INSIDE mobile encryption SHUTTERSTOCK

Mobile developers fail #2

An analysis of native vulnerabilities found that the insecure use of storage APIs is a prominent root cause of security issues. Unsafe storage of information on publicly accessible external SD cards is a common practice among mobile app developers, and was found to be responsible for nearly 42% of all storage-related issues. SQL injection vulnerabilities, which could similarly expose contents of the device database, constituted approximately 21% of the issues. Almost 38% of the issues were related to insecure logging practices as well as hardcoding of sensitive information, which runs counter to age-old security best practices


Mobile developers fail #3

Modern mobile phones allow apps to expose custom features for reusability, but giving permission is essential for preventing the misuse of these features, examples of which include permission to use the camera, external storage, Internet, and others as well as permissions to share the custom components between apps. Unfortunately, 74% of the issues were caused by Android applications requesting more permissions than were necessary for their operation thus putting the user’s data at risk in case of a compromise.



Don’t be complacent

Security isn’t a box that can be checked—it’s an ongoing process of gathering and sharing intelligence, responding to changing technology and conditions in the wild, and balancing security measures against functionality. It is also simply not possible to reduce the attack surface to zero without sacrificing functionality necessary to operate the organization. However, with the right information and advice, organizations can respond appropriately, mitigate risks, and reduce their attack surface significantly.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Slideshows

Top Tech News