In our recent ciqada white paper, we outlined ten critical areas where security issues can impact the safety of your IoT systems. We will re-cap this information in four articles, each of which will focus on two to three elements that should be considered to help protect your IoT enabled devices and systems.
In this article, we will talk about injection flaws along with broken authentication and management.
But first, let’s talk about application vulnerability. According to a Gartner Security study, 90 percent of all vulnerabilities exist at the application layer. An application vulnerability is a flaw or weakness in a software application that can be exploited to compromise the confidentiality, integrity or availability of resources used by the application and its users. The application layer is the most difficult to protect because vulnerabilities may involve complex input scenarios that may be challenging to detect with conventional intrusion detection software.
It is also the most vulnerable because it is the most accessible to cybercriminals. The best defense is to develop secure applications. This requires a commitment to evaluate and remove vulnerabilities in websites, web applications and web services. This is an essential process that will help reduce security threats and breaches, thereby limiting this barrier to IoT product deployments.
Identifying Critical Software Security Flaws
To design a secure web application, you must know your threats. Knowledge about how attacks occur can guide a developer to build software defenses into their applications. Developers can turn to the Open Web Application Security Project (OWASP) Foundation, and a not-for-profit, open community organization focused on improving the security of application space software. Their projects cover many aspects of application security; participation is open, and the resulting tools, documents, and guidelines are made available to educate and inform anyone interested in producing secure code. Here are the top ten vulnerabilities identified by OWASP:
An injection flaw is introduced when malicious code or untrusted data is inserted into an application and passed to another system. This could include calls to backend databases, shell commands to external programs, or through system calls to the operating system. Scripts written in other languages, such as Python or PERL, can be inserted and executed such that an attacker can read, modify, create or delete data available to an application. The most common injection flaw is SQL injection. However, they can also be found in NoSQL, LDAP, XPath queries, OS commands, SMTP headers, XML parsers, etc.
Injection flaws can be prevented by carefully validating the data when calling an external function to verify that the data returned is what was expected. In certain situations, encoding the data may be needed to ensure immunity to an injection flaw. Proper handling of errors, timeouts or blockages is also important to confirm that the processing expected occurred.
Broken Authentication and Session Management
Authentication and session management encompasses all aspects of handling user account credentials, including user authentication and active session management. Broken authentication flaws occur when there is an inherent vulnerability in the method chosen to authenticate users. Session management flaws occur when sensitive user information such as user names, passwords, and session tokens are not adequately protected. If the session tokens created by web applications are not properly protected, an attacker can assume the identity of a user by hijacking a user’s active session. Developers may build custom authentication and session management schemes which could introduce flaws in areas such as password management, logout, timeouts, account updates, remember me, secret questions, etc.
Recommendations to prevent these types of vulnerabilities include:
- Using a single authentication and native session management mechanisms
- Assigning a new session cookie once a user authenticates and invalidate the previous one
- Verifying that users can easily locate the logout link, including adequate timeouts for inactive sessions
- Verifying users know their old password before changing it
- Verifying that all user credentials are stored in hashed form
- Ensuring that SSL is used for all authenticated parts of the application.
In our next article, we will discuss cross-site scripting vulnerabilities, insecure direct object references along with security misconfiguration. Until then, if you would like to learn more about how Mars and ciqada can help ensure your IoT project is secure, please contact us today.