Part two: Attack Surface
What should we do next?
Definitely, we need someone who would examine this list:
- To separate real issues from false positives;
Remark: What can be a false positive in our case? For example, Ignore SSL Certificate Error. It does not matter if the issue is found for, let’s say, a graphical redactor and does matter if it’s listed for a bank client app.
- To perform necessary tests which cannot be done automatically (see the part one);
- To localize vulnerabilities (it could be that there are some troubles with third party components);
- To determine vectors of the most possible attacks (see Lyrical Afterword (it’s coming soon));
- To compose a plan (recommendations) on how to improve security of the analyzed app.
Who can do it? What is the first thing that comes to your mind? Developers or QA guys which have been working on this app? Sure, that’s logical. It seems that they know the app best, doesn’t it? Unfortunately, they are not good at this type of tasks. Why?
– There is a vulnerability in you app.
– Agh.... that’s true. But it’s not in our app, it’s in a lib which we use in our app...
You may check this drammatic story about AFNetworking library.
Sometimes developers cannot even think that some things can be used maliously (there is an example of such a story).
Software devs are good at app creating, QA folks are good at app testing. Those who we want are specialists from information security field. They have an unusual vision of how an innocent (at first glance) app can be used in malicious ways. It is exactly what is needed. You may read this sad post with juicy details.
IT security guys are hackers but they are on our side of barricades. They have specific knowledge and specific mind set, which allows them to determine the most possible and profitable ways of invasion (attack surface) and they know how to improve app security. They work in IT security day by day and are very familiar with current security trends (you cannot expect that from devs, since they need to think of security twice in a year).
Large companies or companies offering IT security services may afford a full time security specialist or even a team of security specialists. In general, there is no need to have a security guy in your staff, since IT security expertise or advice is needed from time to time (for example, prior a new app release or a new release of an existing app). Analogy with physicians works well here. It’s good to be informed regarding your health and follow medical recommendations. Should you live in a hospital for it? When you need it, you consult with a specialist and follow his/her recommendations.
It is very common to drop security part during first stages of development. Neglect of security in general may cost a lot.
(Lyric afterword is coming soon)