The global security threat outlook evolves with each coming year — there is a growing number of ways known vulnerabilities can be exploited to damage businesses and individuals. Attackers take advantage of different vulnerabilities for different reasons depending on the business model.
Regardless of the why and how, there is no doubt that there is no shortage of vulnerabilities to find. In 2018, we saw a 21% increase in total vulnerabilities reported over the previous year. The average payout per vulnerability also increased this year by a whopping 73%, with 75% of all P1 vulnerability payouts above $1,200, up from $926 last year. It’s unsurprising. This year saw NotPetya, Meltdown, Spectre, the Equifax Apache Struts bug — just a few examples of exploited vulnerabilities that hit headlines, leaving many systems, users and companies devastated.
Access Control Bugs
In software applications, one ubg that never seems to go away and is one of the more risky bugs rated in our P1 or P2 VRT category, is the idea of access control bugs. These are really risky bugs and there are a whole bunch of different flavors of access control bugs. One of the riskiest is insecure direct object reference bugs.
OWASP defines insecure direct object reference bugs “a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.”
For example, if someone has an account and that account has a unique number 75, and if a cyber attacker sees that in the URL and changes the number to 74, he or she can get access to someone else’s account — that is an insecure direct object reference bug. Access control bugs are not easy to defensively code for. These bugs are not protected by any framework or code libraries like many input based vulnerabilities. We are going to continue to see this over the next year.
Another big bug category that tends to hit hard, especially as we think about migrating to the cloud, is a security misconfiguration. We see a lot of incorrectly configured cloud environments, like AWS and Azure, and people leaking data because they misconfigured their data storage. Another instance is if they manage their source code in github or git, and they’ve misconfigured those permissions and anyone on the internet has access.
When you get into cloud, it’s a whole new domain of technology, learning AWS and the associated technology stack is like learning a new language, you need a Rosetta stone for it sometimes. You need to be dedicated to it, and if you don’t spend the time, it’s easy to misstep. As we continue to move to new technology environments, we’ll continue to see these bugs.
This year we’ve seen a lot of bugs related to parsing files. Any time in your application you need to upload a file, you’re either creating custom code or using a library. In the past year, there have been very critical bugs in open source image libraries that allow an attacker to manipulate code remotely by uploading or editing images. This is exactly what happened with ImageMagick.
The latest versions of the popular image software didn’t properly filter the binary that got passed to an internal parser (Ghostscript). When a modified binary was a passed to the parser with simple added linux commands, the parser would execute these commands. This allowed an attacker to execute his own commands remotely by uploading an image, which led to full RCE (remote command execution) via a vulnerability in your image uploader.
What’s to come
Web vulnerabilities are going to continue, although they might come in different flavors with the advent of cloud and IoT. While they’ve been talked about for a while now, widespread cloud adoption and IoT devices are now becoming reality, and security is not built in at the core. We will likely have to rewind to brutally easy bugs, especially with new computing environments. We hosted a car hacking bug bash this year in Louisville, which highlights this trend. Our security researchers found over 15 critical and high severity submissions on vehicles.
Additionally, managing your assets is going to come to a head in 2019. It’s a basic and fundamental thing that application security professionals continue to struggle with.The bigger you are as an organization and the more companies you acquire, the harder it is to manage your assets. Most bugs are not found in flagship applications, but in obscure domains, apps, etc, that have been left behind and unaccounted for. Large Fortune 500 companies have a really hard time with this because they just don’t know what they have on the internet. Even for smaller companies, lots of organizations have a hard time knowing what exactly what they own – old internal apps, APIs, etc. The more we move to the cloud, the harder it is to track.
Moving to new technology environments is going to require more skill and education to combat the new vulnerabilities that may appear, as well as increased crowdsourcing to keep pace with the growing attack vectors. The skill shortage is growing at alarming rates so we’ll need to double down on recruitment and education, building security community and encouraging diversity. Bugcrowd University was created to teach basics of hacking and bug bounty hunting to address the skill shortage by introducing new researchers to the crowdsourced security field and upleveling the skills of the white hat hacker community across the board.
We’re going to see more crowdsourcing, more small competitors as the model proves successful, and we will see new inroads into different crowdsourced security applications like forensics, threat hunting, and more. Next year it’s going to be about the individual contributors and tracking skill sets. We will eventually get to a point where a security professional doesn’t have to take a consultancy job anymore. They can work from anywhere.