Application-Centric Security

Security Threat Landscape

This section describes an overview of assets in Domain 5 on application-centric security. It includes an overview of assets and threats that span the full spectrum of applications. Major sources of information for this study are OWASP[1] and SANS[2] reports. It is important to note that this section does not consider applications providing functionalities for infrastructure/system/network management.

Threats

In this section, we discuss the threats that can be mapped to the application asset taxonomy. Our review was driven by the OWASP and SANS generic risk assessment. In general terms, threats, such as injection and application malfunctioning, may strongly affect IT in general. In fact, current IT systems are heavily based on applications/services composed at run time and therefore exposed to attacks and breaches. Also, attacks to hosting platforms (deliberate and intentional), failures/malfunctions (e.g. malfunction of the ICT supporting platform) can be important sources of risk. We introduce the major characteristics of the threat taxonomy, with a special focus on cyber-security threats; that is, threats applying to information and communication technology assets. We also consider threats not related to ICT and caused by humans during their activities.

A threat to application assets can be considered as “any circumstance or event that affects, often simultaneously, services and applications distributed over the Web”. The threat taxonomy is a consolidation of threats previously considered in other documents/reports [3] [4] and is composed of the following category.

  • TG5.1 – Unintentional damage: This group includes all threats causing application malfunctioning or loss of confidentiality/integrity/availability due to human errors.
  • TG5.2 – Interception and unauthorized acquisition: This group includes threats introduced by alteration/manipulation of the communications between two parties. This TG, depending on the circumstances of the incident, could, also, be linked to TG5.4.
  • TG5.3 – Nefarious activity/abuse: This group includes threats coming from nefarious activities. It requires active attacks targeting the platform of the victim, as well as public interfaces of the hosting platform and applications.
  • TG5.4 – Legal: This group provides for threats resulting from violations of laws and/or regulations, such as the inappropriate use of Intellectual Property Rights, the misuse of personal data, the necessity to comply with judiciary decisions dictated with the rule of law.
  • TG5.5 – Organizational threats: This group includes threats to the organizational sphere.

Threat Group TG5.1: Unintentional damage

Threat T5.1.1: Security Misconfiguration

Security misconfiguration is one of the most exploited threats. Cyber attackers often try to exploit unpatched software, use default accounts, or unused pages to gain unauthorized access to systems. The problem can target systems at any layers and become then critical giving to the attacker the possibility of compromising the system and bypassing access control checks. This threat is related to threats in other domains: Threat T4.1.1 and Threat T4.1.2 in Data-Centric Security Threat T3.1.1 in System-centric Security, Threat T1.1.1 in Device/IoT-Centric Security.

Assets: “Interfaces”, “Security Techniques”.

Related Attack


Threat Group TG5.2: Interception and unauthorized acquisition

Threat T5.2.1: Interception of information

The interception of information is another important threat that plague the application domain. This threat is horizontal and targets all domains involving weaknesses in network communications, system components and devices, data exchange, and users’ activities. In this domain, the interception of information is mainly due to weaknesses and flaws in the protocols for communication encryption (e.g., SSL). This threat is related to threats in other domains: Threat T4.1.1, Threat T4.2.1, and Threat T4.2.2 in Data-Centric Security, threat T3.2.1 in System-Centric Security, Threat T1.2.1 in Device/IoT-Centric Security.

Assets: “Data”, “Interfaces”, “Security Techniques”.

Related Attack

Threat T5.2.2: Sensitive data exposure

Sensitive data exposure is a major plague for applications and is often the result of misconfigurations or weak security protection. Many web applications and APIs do not properly protect sensitive data.[3] Rather than trying to decrypt an encrypted communication, cyber attackers try to intercept it, steal keys, access the cleartext.[3] The most common weaknesses concern, not surprisingly, the store/exchange of sensitive data in plain text, as well as how crypto is employed (e.g., weak key generation and management, weak algorithm). This threat results in common sensitive data leakage and breaches both for data in transit and at rest. This threat is related to threats in other domains: Threats T4.1.1, T4.2.1, T4.2.2, T4.4.4 in Data-Centric Security, as well as T5.1.1 and T5.1.2 in this section.

Assets: “Data”, “Security Techniques”, “Roles”.

Related Attack


Threat Group TG5.3: Nefarious activity/abuse

Threat T5.3.1: Broken authentication and access control

Broken authentication and access control allow an attacker to compromise an application and often the entire system hosting it. As a consequence, a bug in the application functions implementing authentication and session management, as well as access control, result in catastrophic consequences, allowing attackers to compromise passwords, keys, or session tokens, assume other users’ identities.[3] Restrictions on authorizations are also not properly enforced. Access control weaknesses are similar and permit unauthorized operations affecting the confidentiality and integrity of data and applications. This threat is related to threats in other domains: Threats XYZ in Device/IoT-Centric Security, as well as Threats XYZ in System-Centric Security.

Assets: “Data”, “Security Techniques”, “Roles”.

Related Attack

Threat T5.3.2: Denial of service

Denial of service has been extensively discussed in both device/IoT-, network-, system-, and data-centric security. One of the main targets of denial of service is applications for a variety of reasons, economic, political, ideological, and the like. This threat is related to threats in other domains:

Assets: “Data”, “Interfaces”, “Security Techniques”, “Roles”.

Related Attack

Threat T5.3.3: Code execution and injection (unsecure APIs)

Code execution and injection are common threats to applications. Unsecure APIs are supporting criminals in their malicious activities since the advent of the Internet and are increasing in importance since the advent of distributed services. This threat is related to threats in other domains: Threat T4.4.2 in Data-Centric Security, Threat T3.4.3 in System-Centric Security, and Threat T1.4.3 in Device/IoT-Centric Security.

Assets: “Data”, “Interfaces”, “Security Techniques”.

Related Attack

Threat T5.3.4: Insufficient logging and monitoring

This threat supports criminals in going undetected. It reduces the performance of intrusion detection and attack identification, decreasing the response and remediation effectiveness.[3]

Assets: “Data”, “Interfaces”, “Security Techniques”.

Related Attack

Threat T5.3.5: Untrusted composition

This threat subsumes many other threats in this deliverable focusing specifically on composite services. Composite services, in fact, orchestrate atomic services to provide advanced functionalities. This composition, however, introduces new risks that go beyond the risks of atomic service[5][6]. First of all, composite services could result in a compromise due to the combined information they have access to. Then, the composition of strong atomic services does not result in a strong composite service. Afterward, the strength of a composite service is the strength of the weakest atomic service. Finally, multiple communications and storages need to be protected at the time.

Assets: “Interfaces”.

Related Attack


Threat Group TG5.4: Legal

Threat T5.4.1: Violation of laws or regulations

Taking, also, into account the discussion above on violation of applicable laws, it can be argued the most relevant laws, in this case, are the GDPR and the Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS). National laws of Member States can certainly apply, but those are, essentially, left outside the scope of this deliverable.

Assets: All assets.

Related Attack


Threat Group TG5.5: Organizational threats

Threat T5.5.1: Malicious insider

The insider threats are among the most critical security threats to be faced and can be distinguished in unintentional or malicious insiders[7] It is quite shared the view that insider attacks may inflict larger damages than outside attackers[7][8].[9][2] Their impact is also increasing due to the fact that, on one side, no effective security solutions exist for this threat and, on the other side, the value of data is increasing exponentially. Insiders are in fact authorized users with legitimate access to sensitive/confidential documents, possibly knowing existing vulnerabilities[7]. Malicious insiders have therefore multiple incentives to carry out an attack that ranges from revenge to revenue when sensitive data are at their disposal.

Assets: “Roles”, “Data”, and assets “Platform Security”, “Application Security”.

Related Attack


[1] OWASP™ Foundation – the free and open
software security community,
https://www.owasp.org/index.php/Main_Page

[2] SANS Institute, https://www.sans.org/

[3] Cybersecurity – the Human Factor: Prioritizing People Solutions to improve the cyber resiliency of the Federal workforce. FISSEA. 2017. https://csrc.nist.gov/CSRC/media/Events/FISSEA-30th-Annual-Conference/documents/FISSEA2017_Witkowski_Benczik_Jarrin_Walker_Materials_Final.pdf

[4] ENISA, Cyber Security Culture in organizations. February 2018. https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations

[5] Sametinger e J. W. Rozenblit, «Security Challenges for Medical Devices,» Communications of the ACM, vol. 58, n. 4, pp. 75-82, 2015.

[6] T. Moore, «The Economics of Cyber Security: Principles and Policy Options,» International Journal of Critical Infrastructure Protection (IJCNIP), vol. 3, pp. 103-117, 2010.

[7] IPACSO Project, «Innovation Framework for ICT Security,» Available: https://ipacso.eu/.

[8] M. Brzoska, R. Bossong e E. van Um, «Security Economics in the European Context: Implications of the EUSECON Project,» Economics of Security Working Paper Series, vol. 58, 2011.

[9] App economy to grow to $6.3 trillion in 2021, user base to nearly double to 6.3 billion https://techcrunch.com/2017/06/27/app-economy-to-grow-to-6-3-trillion-in-2021-user-base-to-nearly-double-to-6-3-billion/