There are endless ways to divide vulnerabilities into different classifications. Each more granular than the other. However, there is also a need to for a simple divide, targeted to the business. That is the problem this post will solve. By using the same categories as in the post Security for Any Development Team I will break down security vulnerabilities into three categories. After reading this post, you will get an insight into why vulnerabilities may arise, and what can be done to minimise the risk.
The Three Categories of Vulnerabilities
The three categories are presented in this post are:
- Context Dependant Vulnerabilities
- Business Logic Vulnerabilities
- Vulnerabilities Abusing the Technology Stack
Context Dependant Vulnerabilities
This group of vulnerabilities is mostly relevant in system development. They include vulnerabilities that are based on input and output of data. Whenever data is entered into the system, and then exit the system there is a risk of Context Dependant Vulnerabilities. One of the most common examples are Cross-Site Scripting vulnerabilities (also known as XSS). This vulnerability occurs when the system somehow allows a user to inject code into the website (JavaScript), that then will execute. In doing so the attacker gains access to everything on the webpage, allowing them to perform any action as the user. In this example the web application does not accurately handle the data that is input as text (string) and printed on the webpage (HTML encoded string).
This kind of issue mainly occurs when developing new systems or application. Therefore, it is important to have an awareness throughout the whole development process about the risk. The requirements, design, implementation and testing needs to take this kind of vulnerability into account. A good way to initiate discussions about this kind of vulnerabilities is Threat Modelling. By threat modelling the team initiate a discussion about the system, any integrations between parts, as well as the risks that might occur.
Even though it seems to be a daunting task to look at all data flows, the good thing is that as long as no changes are made to the system, no new vulnerabilities will be introduced. Context dependant vulnerabilities are therefore stable, and will have a limited growth over time.
Business Logic Vulnerabilities
Business Logic vulnerabilities occurs as a result of misunderstandings between the business and the team implementing the system. What happens if someone can abuse the business functions? A common example is the web shop that allowed users to order -1 items, debiting their account accordingly. However this can be much more complex, and require an intricate understanding of the business.
To minimise the risk of this kind of vulnerabilities there are two things to do. Firstly the requirements for the system needs to be complete. They should not only indicate what functionality should be there, but also what should not be allowed. By detailing the requirements the business gives the team implementing the features a better understanding and therefore allow them to see the risks. The second step is a good old fashioned risk analysis. However, it is important to emphasise that the risk analysis should be of the system, not the project that implements it. In what way could the system be abused and what could the goals for an attacker be?. These questions needs to be answered to minimise the risk.
Vulnerabilities Abusing the Technology Stack
If the two previous kinds of vulnerabilities have their root in the development phase, this category is more based on configuration and maintenance. This is known vulnerabilities that occurs due to a lack of system hardening (e.g. weak passwords or outdated web-server). This also means that even though no further development of the system has occurred, new vulnerabilities may arise. When implementing the system it is important to harden the system, and then after release it should be maintained and its life cycle managed.
Due to the sheer number of devices relying on common software (such as web-servers or operating systems) this group of vulnerabilities are often used for non targeted attacks. For example a ransomware gang might not care whom it infects and therefore just scan the internet for vulnerable systems. These systems are then automatically infected. The goal is infecting as many victims as possible not just a single target.
Always updating soft- and hardware is an endless battle. A race against the attackers. How can we ensure that systems are up to date and hardened according to the latest standards? In addition, any update might have an impact to the functionality. Therefore there needs to be a balance with stability requirements.
This group might have the easiest solution, just update and configure, but the time investment is huge. Since you need to continuously need to maintain the system the investments are recurring. Depending on the size of the company the goals might be different. However, the risk of attack has to be weighed against the cost in an analysis for each business.
Summary
Any business using IT systems needs to be aware of the kind of vulnerabilities that might impact them. By having a basic awareness and specify the requirements of their systems the business will be better equipped to manage their risk.