Events

Application Security at Hyper-Growth Companies

Security leaders from some of the world’s fastest-growing app companies got together in February 2022 at the CYE-hosted webinar to share their experiences keeping apps safe from the exponential rise of cyber risks.

Read their take on protecting apps, enterprises and individuals or watch the recording on demand.

They’re after your data

Sharon Halperin: In most attacks on mobile companies and mobile apps, we’re trying to protect the data.

We can start by looking at the attack surface of the mobile app itself, meaning the phone and the network to which this mobile phone is connecting. However, securing the phones on which the apps run and securing the networks through which they communicate is really out of app developers’ hands for the most part.

More importantly, we must think about the data that the app is actually collecting and processing. That’s what we want to protect the most! Mobile apps can collect different types of information about you. For instance, a mobile app can have your location at all times and could be used for additional monitoring. On the other hand, processed data is not stored on your mobile app, at least not for the long-term. It’s probably stored in a data center or at a cloud provider somewhere.

Depending on what an attacker is after, they’ll use different routes, meaning whether you (as a person) are specifically the target of an attack, or whether they’re trying to attack the company in order to get a hold of a lot of data. Of course, we’re also protecting the app itself, like using secure login (MFA). When there’s an option, we also make sure there’s no data leaks in the app and things like that.

Tomi Tuominen: As an enterprise, you’re mostly interested in existential things – things that could really kill your enterprise completely.

As an enterprise, you’re obviously mostly interested in existential things. After you have identified those, the data usually takes center stage. You want to minimize the attack surface, which might be internet-facing APIs or making sure the requests that reach your API endpoints have actually originated from the phone.

Every time a security boundary is crossed, such as when registering a user, making a purchase or doing some changes, there’s always a risk of fraud. For example, during initial user registration, the app is exposed to things like SMS fraud or text message fraud and you run the risk of spamming random users when you try to validate the email addresses.

The potential gain from a mobile device is mainly the ability to listen to everyone around you.

Rubi Aronashvili: You can see everything that is going on there, and you have the associated GPS that goes along with it. So in general, you have millions of perfect civilian devices deployed throughout the world, and if you’re able to get access to those items, you’re in very good shape.

It’s harder to do, but the impact of a mobile device breach is quite significant.

Are phones harder to breach than computers?

Tomi Tuominen: Your mobile phone is very likely the most secure device that you own. Phones need permissions for each and every app that is installed. Phone owners are alerted when the camera is turned on, when your location is accessed or when your contacts are accessed. Supposedly laptops don’t have that. Your mobile device was designed without the security or technical debts that legacy computer systems have.

Android vs. iOS

Tomi Tuominen: Only one of these companies goes on record saying that privacy is a fundamental human right and I can tell you, it’s not Google who’s saying that.

Android was basically done by the largest ad agency in the world. Whereas iOS (meaning Apple) devices are completely manufactured and controlled by Apple – just because they want to protect their business model.

Mobile devices, especially the ones from Apple, are well-designed. iOS devices have been designed extremely well and they are extremely robust. It’s not because Apple wanted to make the most secure device on the planet. It’s just because they wanted to protect their business model. They’re getting a large percentage of each and every app sold in the App Store. That was their motivation for designing a very, very secure thing.

Rubi Aronashvili: Their architecture is harder to breach than a PC or other computer environments.

We’ve seen multiple attacks against mobile devices.

It’s more difficult to extract really beneficial things from mobile devices, it’s not bullet proof.

Is it just harder to breach mobile phones or is it just because there’s just less experience out there doing it?

Sharon Halperin: Yes, mobile devices are newer systems, the architecture is more sophisticated, it’s more tightened down, but it’s good that most of us regularly update our phones right away. We’re all smarter and we’re developing in a smarter way. But we have to remember that our competition and the attackers are also getting better at figuring out how to hack them.

David Bental: We have been seeing some approaches and methodologies that are equivalent to classic ones for attacking mobile devices and laptops. For an example, injecting something into a mobile device. Once you’re in there, you can use different kinds of approaches, and there are various ways to manipulate private APIs on the iOS. But there’s a another issue. While we’ve been focusing on static and dynamic analysis, we have been seeing attacks on the hardware itself, meaning on a lower level than the app level.

Supply chain attacks are on the rise

Martin Miller: In our previous webinar with David B. Cross – CISO of SaaS Cloud – Oracle, Nir Tzuk – Founder & CTO – Palo Alto and Cohavit Almagor – Director of Engineering – Google, we discussed how supply-chain attacks are on the rise. You can watch that webinar here.

Sharon Halperin: All consumer-facing and non-customer facing companies are heavily dependent on third parties or vendors, which causes that supply chain risk, because it’s really very hard for us to control. Vendors must have access to our environment, so we must do our due diligence of all of our vendors, including our security vendors and understand their security posture before we let them in.

Tomi Tuominen: This whole supply chain thing is already happening, and it is one of the hardest problems out there to solve. I might be a bit biased because I have pretty good visibility into how the Apple App Store works. I think that a large scale compromise would be very, very difficult to achieve. I mean, if there’s one thing that Apple is very good at, it is designing these kind of things. Maybe Google should ask them how to do it properly.

Sharon Halperin: What’s safe today does not necessarily stay that way – third-party vendor risk is probably the biggest risk we have right now.

We might have tested it to know whether it is safe, but that can change. It can happen that they were inserted with malware and then that inserted malware into system updates that we all downloaded.

None of us can develop any product without being reliant on vendors and third parties.

We need their help to produce our products. That’s the reality that we live in today. And that is why I think that third-party vendor risk is probably, the biggest risk we have right now.

David Bental: I agree. If an attacker wants to run a simple recon on a target or to target a specific enterprise company, no matter what size, all they need to do is to go to their privacy policy and check their sub-processor list. So they can usually start there. And from that point on, they can basically know the app’s third parties and fourth parties.

How do you prepare for malware inserted into third-party/vendors?

Rubi Aronashvili: The bad news is that if someone is determined enough, if someone has the focus and the determination to do it, as well as the access to the code, then it’s probably possible.

In my previous life working for the government, I can tell you one thing for sure, if you want to add a code snippet into a large source code you can stay under the radar. Even with all the procedures, like static code analysis, dynamic code analysis, manual source code review and managerial review, it is something that is hard to avoid.

Sharon Halperin: Attacking a company is probably an inefficient way for the attacker to get what they want, even if it’s a mobile-app-direct-to-consumer company. Attackers probably want to go to where the data is and not attack the app directly.

Tomi Tuominen: I think that for an attacker, altering the source code is not the best idea to begin with. I mean, if I were an attacker, I would rather use something like post commit hooks on GitHub or just on your Jenkins server. Everybody and their neighbor is running Jenkins or some sort of other CI/CD pipeline.

Hyper-growth creates hyper risks

Rubi Aronashvili: When you start to grow, the attack surface grows as well.

Initially, as a small startup, the only consideration is the business and nothing else is important. But when you start to grow, the attack surface starts to grow as well. When you have more people, you have more assets to protect and not everything is black and white.

The key to handling security during growth is visibility

Companies must what they have, what is at risk, make smart decisions about prioritizing mitigation and then maintain that over time.

In cybersecurity, you will hear that everything is important and everything is critical and everything needs to be done now – monitoring, and incident response and everything. Everything might be important, but you can’t do everything at the same time. You have to prioritize.

Sharon Halperin: Cybersecurity Must be a Business Enabler and Not a Business Blocker

Rubi Aronashvili: At CYE, we see some very absurd cases where companies have no cybersecurity, then they add cybersecurity professionals who implement various cybersecurity processes. But then they block the business. Cybersecurity must be a business enabler, not a business blocker. Once your cybersecurity control/concept/capabilities block the business, something is wrong.

Visibility comes first, then understating the risk and then prioritization of risk mitigation.

This is a very simple concept and if you don’t follow it, you can get lost very quickly.

Tomi Tuominen: In a modern company, you can’t be a blocker. If you’re going to use your security certification power to block actions, people are going to go like – “Well, that’s a nasty thing to do on your last day of working here!”.

Aim to remediate complete vulnerability classes

If you’re joining a company as a VP of security or CSO or something like that, I’ll give you one piece of advice – on your first day, Delete all the S3 buckets. All the latest compromises have started from these S3 buckets that had confidential information in them.

But to answer a little bit more seriously, I think that the biggest difference between a hyper-growth company and a regular company is that you are not able to concentrate on a single vulnerability or any single bug.

You must take actions that will actually remediate complete vulnerability classes.

David Bental: It’s important right from the start to nurture a very security-aware culture.

As startup/bootstrap/seed level companies grow, this crucial stage must be the start of forming a security-aware culture. People must start separating tasks into domains, so that each person has a responsibility for a specific domain (like IT and security) with its own KPIs and strategies, instead of 10 or 20 people running around doing everything.

Hyper growth means hyper changes – you need to be able to react quickly

Rubi Aronashvili: During hyper growth, things are happening very, very fast. You need to be agile enough to support fast-growing and fast-changing kinds of environments. The old-fashioned approach of let’s plan five years ahead, won’t work.

Sharon Halperin: Developers today need a lot of access. You must be able to run alongside your business and be an enabler. These days we are seeing continuous development and deployments – there’s no breaks in the process. You must constantly be aware of what’s going on and put those rules where they are needed in order to make sure you’re catching things and staying ahead of the latest changes.

Security work is not easy

Sharon Halperin: There’s so much work for the security team to do on so many different channels. We have our compliance channel, because we want to enable the business, we need to look at our assets, we have to have IT security and we need to look at our cloud environment.

There’s risks everywhere. And we don’t want to be crying wolf all the time. So we must strategize and prioritize what we decide to tackle.

David Bental: I always like to say that what happens in this fast paced environment is that “we build the plane while it’s in the air – meantime, the flight attendants are walking around the plane holding trays and serving guests.” In a growth company, initially the security guys usually bump heads with product, because product thinks that too many security processes damage the funnel.

Tomi Tuominen: You need to make sure that everything that you do actually integrates into the developer’s experience without making them change their workflow.

Your job is to offer them the tools and the guidance in a way that it is part of their usual daily workflow.

Sharon Halperin: We must teach them and partner with them in order to increase knowledge and awareness, and to make sure that they are more security minded. Sometimes partnering with the senior staff works better, because they’ve been around the block and understand the value of security and can help us instill awareness in a younger generation of developers.

Tips for growing companies

Individuals

David Bental: Security-minded individuals should go with the basic concept of – something you know and something you have – basic MFA.
Educate yourself and try to understand what it means to agree to an app’s permission requests.

Tomi Tuominen: Handle your personal finances (online banking/payments) on an iPad or iPhone.

Sharon Halperin: Use passwords on your phone and use MFA whenever you can. Don’t ignore security updates!
Get into the habit of deleting apps. Unused apps just increase your attack surface.
Have your own business continuity or disaster recovery plan in case your phone is lost or stolen.

Rubi Aronashvili: Always assume a breach kind of situation when you’re in the shower. If you want to hear music on your phone, at least don’t aim the camera directly at yourself. Once you understand that potentially your phone can be used in a malicious way, you have another layer of defense – the human defense.

Security Professionals

David Bental: We must always stay on top of our game and continually learn, read, sharpen our skills and conduct technical conversations, while communicating and creating awareness in our organizations. Things change quickly.

Tomi Tuominen:  Security professionals should adopt the mentality that their job as a security leader is to support the business in any way they can. Their business is to make everybody else succeeds and to be pretty damn humble about it.

Sharon Halperin: Have a risk-based vulnerability program that is aimed at finding your security holes and back doors. Find a few trusted red team vendors that you like and rotate them so that you get different findings in different flavors.

Rubi Aronashvili: I really connect with what Tommy said. As a supporting function in the organization, you need to know how to tell them how to do what they want in a secure way.
Choose your cyber security battles, meaning what you are going to do, what you’re going to fix, what you’re going to mitigate and where you’re going to invest.

Path Copy 3

By CYE
February 22, 2022