Cyber attacks have become commonplace. What only a few years ago seemed to us like a fiction from an action movie, today no one is surprised anymore. Every day we hear about another attack, data leak or even a complete paralysis of the enterprise. We see that the target of attacks are both giants such as Maersk or British Airway and small companies and government entities such as Lututów Municipality Office, Warsaw University of Technology or Polish Financial Supervision Authority.
With the advent of economy 4.0 companies are increasingly digitized, and thus the IT systems they use play an increasingly important role in the efficient management of the company. Therefore, temporary unavailability of these systems may be associated with paralysis of the organization, as it happened in the attack on one of the steel mills in Germany. Hackers disabled one of the furnaces in the plant, which resulted in multi-million losses caused by physical damage to the plant's infrastructure. In extreme cases attacks can also lead to serious damage to health or even death. The recent case of the attack on the hospital in Düsseldorf is proof of this. As a result of a cyber attack, the hospital system was blocked and it was not possible to register a patient in serious condition who died on the way to another hospital.
It is also important to consider that many IT systems are in constant development to keep up with changing market requirements. A perfect example of this is the move of many services to the Internet following a pandemic. This digitalization usually takes place rapidly. As a result it is easy to release systems with security flaws, so-called vulnerabilities, on which hackers take advantage from.
How to secure the systems that have already been written, as well as those that are under continuous development and at the same time must be available for use?
A system that is not under development
If you've ever bought an apartment, whether new or used one, and you're not familiar with construction yourself, you've probably had the help from a professional. This person's job was to verify whether your dream flat was built properly. Such an expert checks, among other things, whether the walls are straight, whether there are no thermal bridges nor mechanical damages in the apartment.
In the case of IT systems, their owner also very often does not know about software development, and even less about security issues. Therefore, analogous to the situation of buying an apartment, in terms of verifying the security of IT systems it’s owner should also use the help of an expert, so-called pentester. Pentester performs, as the name suggests, Penetration Testing of applications, also called security audits, based on standards such as OSSTMM, ISO 2700x, or the most popular OWASP - Open Web Application Security Project. The latter defines a list of the most common security vulnerabilities in IT systems (OWASP Top 10) and mobile applications (OWASP Top 10 Mobile).
What does such a security test look like?
It is, similar to a real hacker’s attack, an attempt to bridge the tested system. However, here the similarities end. First of all, this attack is performed in consultation with the system owner, so it can be planned in a way that will not disrupt the proper operation of the organization. In addition, during a real attack, the hacker only needs to find one vulnerability that will allow him to break through the security and he has unlimited time to do it. A pentester's job is to find as many vulnerabilities as possible, ideally all of them, and must accomplish this within a certain amount of time. That is why pentesters often use the advantage of being able to see the source code of the software. Such tests are then called whitebox and, in contrast to attacks without access to the source code (so-called blackbox), are much more accurate.
As a result of the audit, a report is prepared, detailing all detected vulnerabilities. It also contains information for developers on how to fix them.
After "patching" all the vulnerabilities, it is also recommended to conduct a verification audit, which will check whether all the recommendations described in the report have been implemented correctly.
Is the system already secure after a security audit ?
It is important to remember that the task of security audit is to reduce the risk of cyber attack. Complete protection is very often impossible. One of the reasons is that modern IT systems are never created from scratch. They use ready-made engines and libraries based on open code, the so-called OpenSource. These libraries can be used both in the server part, so called backend (e.g. Spring or Laravel), web part, so called frontend (AngularJS, React or Vue.js) and also in mobile applications (e.g. Flutter, React Native). These solutions are used to facilitate the work of programmers and, as a result, accelerate the process of software development and reduce the cost of its production. There can be many OpenSource libraries used in the IT project, starting from several dozen reaching even several hundred. Therefore, their manual verification is impossible. As a rule of thumb, the responsibility for the security of specific libraries falls on their vendors which usually deliver new versions of libraries containing security patches. Patches, on the other hand, are very often a response to an information appearing in the public vulnerability databases stating that a new security flaw has been found in a given library. One of the most popular databases of such is CVE (Common Vulnerabilities and Exposures), from which we can learn whether the libraries we are using are safe or not. It is important information for us, but we should remember that because it is public, hackers know about it too. Therefore, it is necessary to update the libraries with vulnerabilities to their newer versions, and if they do not exist then replace them with alternative ones. Of course, manual verification of all libraries used in the system would be a tedious task. Therefore, special vulnerability scanners are used for this purpose, which automatically check not only whether the library used by the system has vulnerabilities in databases such as CVE, but also whether our IT system meets the basic OWASP security rules.
What about systems that are in under continuous development?
The issue of updating libraries, however, is not as serious as a challenge to verify changes in our constantly evolving system. It is often the case that we need to modify and extend our system on an ongoing basis to address constantly changing market needs. In the era of ubiquitous digital transformation, it is a phenomenon that is becoming more and more common, and I would even say "typical" for modern IT products.
So how to ensure the security of such a system? The obvious answer that comes to mind is to conduct a security audit. But when such a penetration test should be conducted? Again, the answer is that every time a new version of the system is released, because each new change brings the risk of introducing security vulnerabilities as well. However, continuous execution of security tests may significantly increase the cost of development and significantly slow down the Time-To-Market of new versions of the product. Is there another solution then ?
Continuous monitoring to the rescue
The solution is to introduce a mechanism for continuous pentester monitoring. How does it work? To explain it, it is necessary to understand how the process of software development looks like. Programmers write the source code of the program on their computers and laptops. Then they upload it to the so-called code repository, most often it is Git. After uploading the code to the code repository, special building servers called CI/CD Servers (Continuous Integration/Continuous Delivery) perform the compilation of the source code, the process of converting programming language understood by the programmer into binary form understood by the computer. Once this phase is complete, automated tests are performed on the binary file to verify that the new functionality has not destabilized the existing functionality. When all the tests pass, the file is being uploaded to the appropriate server where the program will be executed.
If the software development process includes automatic tests to verify the stability of the code, can there also be automatic tests to verify its security? This is what continuous pentesters monitoring is. It consists in plugging a vulnerability scanner into the CI/CD process, so that each time a new software version is released, the security of the created product and OpenSource libraries used by it can be verified. And just like in the case of automated tests, in the case of continuous monitoring, it may be necessary to update the configuration of such a scanner in response to new functionalities and modifications of the monitored system. Updating such a configuration, however, does not require as much effort as a comprehensive security audit. However, it should be remembered that continuous monitoring, although it is a process in which the pentester updates the scanner configuration, is still based solely on automatic scans, so especially for critical systems, as part of continuous pentester monitoring, periodic comprehensive security audits would be recommended every 6, 12 or 24 months, depending on the criticality of those systems.