Top Application Security Threats And How To Counter Them
Social media marketing comes with big hype, and much of that hype is justified. More than half of small businesses plan to increase their social marketing budget in 2017, and social campaigns deliver a positive return on investment for 90 percent of organizations. So, it’s no surprise that more marketers and C-suite executives are pushing for more social integration and the development of social-focused apps that integrate big platforms such as Facebook, Twitter, and Instagram.
The challenge? Attention from marketers and users has dramatically increased the social media attack surface, and also piqued the interest of cybercriminals. For example, a host of high-profile Twitter accounts was recently hacked to display offensive messages and images. Twitter itself wasn’t the problem; instead, a third-party app with integrated permissions was compromised. For marketers, this is a worst-case scenario — what if their applications or services are responsible for this kind of breach? Combating the problem starts with knowledge of top application threats: What are they? How do they impact social apps? How can companies increase overall application security?
Are your apps tested well enough? While many companies spend some time and effort running new apps through their paces, the rapidly changing social market often leads teams to prioritize speed above security, meaning that incomplete or insecure apps are released to the public at large. What’s more, organizations often assume that their “small” app won’t attract the attention of prolific hackers more concerned with scoring big with a Twitter or Facebook breach. As noted above, however, third-party apps can open the door to huge data breaches. The moral of the story? Test more, test often, and then test again.
It started with denial of service (DoS) attacks: Hackers flooded applications with access requests or random characters to quickly take them offline. The rise of always-connected mobile devices and the Internet of Things (IoT), meanwhile, has created an ideal environment for “botnet” attacks that leverage massive groups of linked machines to generate up to 1TB of traffic per second. While there’s no quick fix for DDoS, you need a solution that notifies admins ASAP of any suspicious network behavior and shuts down traffic from risky IPs.
SQL and XSS
Social media marketers have their own acronyms to worry about — KPI, CMS, SEO to name a few — but it’s also worth understanding the app threats posed by SQL and XSS attacks. Structured query language (SQL) attacks use password and username fields that rely on SQL databases to “inject” other commands and take control of applications. With 60 percent of apps potentially at risk, it’s worth locking down SQL command permissions to reduce the chance of a hostile takeover.
Cross-site scripting (XSS) attacks, meanwhile, rely on flaws in Web-based apps or browsers to inject new scripts and force applications to follow hacker instructions. Developing a robust content security policy — one that mandates which kind of Web-based scripts are allowed and which are off-limits — helps limit the impact of XSS.
Permissions and Potential Takeovers
What is the easiest way to get social apps up and running? Use existing code and APIs (often open-source) to limit the need for new code development. The problem is, existing code flaws and newly discovered weaknesses can put your apps at risk. Combat this problem by including extra security measures where hackers may not expect them, or by including enough of your own code to make it troublesome for attackers to compromise, compelling them to try their luck somewhere else.
Social apps are also prone to “session hijacking,” which allows hackers to take over a social connection in progress and wrest control from the user. While it’s not a good idea to disable cookies, you can reduce the risk of hijacking by generating a new ID for each session and encrypting all IDs.
Known as “Zero Day” threats, these attacks occur immediately after an app has been released or updated — hackers either find an unknown flaw or create one and begin to quickly compromise all active connections. You can lower the chance of zero-day issues by leveraging in-house code for critical components, rigorously testing all permissions and controls before release, and, if necessary, by pulling the app completely to assess and fix the problem.
Want better social marketing impact? Build the right app. Looking to shore up data security and user privacy? Understand emerging app threats and take steps to safeguard your software — see how to do this in the slideshow below.