Security-firm Fallible created an online tool to reverse engineer any android app to look for secrets and keys to AWS accounts. These keys and secrets can give full and uncontrolled access to extract and delete entire customer data sets and all the machines that go with them to run your application and site.
Fallible built the tool because of an internal need, as the company were constantly required to reverse engineer apps for their customers to examine them from a security standpoint.
The company have now reverse engineered over 16,000 apps and found that although most of the apps didn’t have any sort of key or secret in the app, they reported that “some 2,500 apps contained either secrets or third party keys”. That’s a big security risk to those apps and – ultimately – to the user.
Fallible’s findings show that lots of developers are indeed “fallible” and aren’t so good at setting up a secure infrastructure or enforcing security and separation and best practices.
So what lessons can you learn from this to make sure your products and services are secure?
The key for developers to make sure their products and services are secure is by following security best practices. But the honest answer is that unless you are a professional systems administrator you are unlikely to know such best practices.
Here are some of the common methods that developers can use to secure their products and services:
1. Separation of concerns: Running servers and services on isolated or separate Virtual Machines or containers. Understand where your critical data is stored, and use firewalls and Access Control Lists to limit traffic to and from those network segments.
2. Password policies: To strengthen and clarify the education given to your users, you should clearly outline the requirements for using strong passwords. Make sure employment contracts and SLAs have sections that clearly define these security requirements and that your team are using strong passwords.
3. Limit permissions granted: Only allow the tool or user to do the bare minimum or what they require. By creating specific controls for all of your users, you limit their access to only the tools and systems they need to do their job or perform a task.
4. Encryption: Encrypt everywhere possible, such as in transit, at rest, within code and on your versioning system, etc. Encryption is essential to protecting sensitive data and to help prevent data loss due to theft or equipment loss.
5. Implement user activity monitoring: This allows you to monitor users and see what they are doing on your system and provides an audit trail. If a malicious user gains access to an employee’s system – or if an insider chooses to take advantage of their system access – you will be notified of any suspicious activity
6. Patch any security holes: Despite the hype, most hackers exploit known vulnerabilities. Make sure you are investing time in patching your systems and keeping up to date with the latest developments in the security world.
7. Automate: Your attackers are using automated tools to scan ports and identify misconfigured devices, so you should be automating your system security. Automating security tasks not only mitigates human errors, but frees up precious developer time to focus on more strategic initiatives.
8. Educate your users: Have a well-organised, well-understood, well-maintained, and well-monitored security policy for both employees and third-parties that access your system. Also make sure they undergo periodic training to keep their understanding of security policies up to date.
9. Avoid hard coding: Never hardcode plain text secrets or keys into your source code!
To add more complexity into the mix, each cloud service or provider also has a ‘best security practices’ guide – potentially for each service they provide.
For example, Amazon Web Services’ (AWS) security best practices guide provides security best practices that will help you define your Information Security Management System (ISMS) and build a set of security policies and processes for your organisation so you can protect your data and assets in the AWS Cloud.
Their guide also provides an overview of different security topics such as identifying, categorising and protecting your assets on AWS, managing access to AWS resources using accounts, users and groups and suggesting ways you can secure your data, your operating systems and applications and overall infrastructure in the cloud.
Likewise, Microsoft Azure have a security best practices and patterns guide, derived from their experience with Azure networking and the experiences of managed cloud services specialists like Digital Craftsmen.
The main point to keep in mind is that security is an ongoing concern.
The security landscape is changing rapidly, which means you need to allocate resource to managing security and implementing best practice. If you do not have the expertise or resources to devote to IT security or system planning, you should consider transferring this risk to a specialist managed cloud provider such as Digital Craftsmen.
Although computing is on-demand and developers now revel in the flexibility they have to provision machines, they may not have the skill set or time to manage your production systems or the ongoing operation of your new system.
If you want discuss the security of your cloud product and services, then Digital Craftsmen are the right people to speak to. We’re managed cloud specialists and have been securing client’s online products and services with security best practices for a long time, meaning we have the skills and experience to make your cloud setup secure.
Call Digital Craftsmen now on 020 3745 7706 or email [email protected] for more information on our cloud security services.