Showing items from external attack surface

Software Dependency Failures: jQuery, a Canary in the Coal Mine

Keeping dependencies up-to-date is challenging for any software development project and even more so from a systems administration point of view. Too often you see packaged web projects, which have been put together and then forgotten. They contain dependencies to third party libraries, which never get updated even if the application itself is maintained – at least to some extent. In my daily work I research the impact of vulnerabilities on the scale of the Internet. Most of the time, vulnerabilities in protocols, services and platforms keep me and other security professionals busy, whereas the upper layers and especially the web layer is often something of an afterthought. To find out whether there is a pink elephant in the room, I wanted to analyze a web application library which is ubiquitous and has had issues with vulnerabilities which are more or less persistent – which lead me to jQuery. My hypothesis was that software dependencies cause hidden vulnerabilities in applications considered secure, even if they are otherwise developed or maintained as they should.

Continue Reading

Further Examination into External Attack Surface

Reducing Attack Surface Decreases Security Risk In my previous write-up I explained why tracking digital assets is important, and listed some methods to get started with it. I trust that once you read it, you immediately set off to gather a list of your IP and domain assets. Since then, Tuomas Haarala has further elaborated on discovery methods from a systems administrator perspective in a write-up of his own. Armed with these tools, we can now venture further into the realm of attack surface reduction. This write-up will concentrate on the process of moving from cataloguing assets to having an idea on the attack surface involved. As laid out in my previous post, the steps in this process are: Research the attack surface, i.e. open services, related to these assets. Determine whether there is something that needs fixing within these services. This write-up will focus on the first step, and the second will be covered in a follow-up.

Continue Reading

Management Interfaces - Attack Surface Hidden in Plain Sight

A management interface, who is it for? Modern web-based management interfaces help with the economy of scale. If you are a software vendor making a solution, supporting it is easier with clearly defined UI options rather than debugging obscure configuration file parameters. If you are an end-user, a management interface is there to make life easier for you as well. Having a management interface helps you: deploy the solution make complex changes to it generate management level reporting for the key KPI. These features often become tender items and a vendor will find itself in a position where developing a management interface web UI is a must have instead of a nice to have. Too often features are implemented in software through a tick box comparison, since the rationale is that we must have them since our competitor has them. It doesn’t really matter, whether the features actually serve the customer and their business function or not.

Continue Reading