The Internet is like the wild west. Black hats are the bandits, white hats are the bounty hunters. Databases are the new banks, and data is the gold of this era. However, banks always had substantial and sturdy security around them, from vaults to guards and fences.
Internet apps are sometimes lacking in this area, as shown by the increasingly frequent data breaches we’re observing over the last few years.
Let’s consider a simple application, SnapCat, which allows users to share their cat pics. SnapCat has one server, one database and a mobile application with a login form. SnapCat’s makers are obviously concerned about security and want to be sure that their users’ cat pics are safe.
How can SnapCat measure their app’s security levels?
A way to estimate a software environment’s security level is to measure its attack surface. This is usually done by a security expert, but the basic concepts are both easy enough and important to understand.
The first step in measuring the attack surface is to list all the attack vectors. An attack vector is a path an attacker could take to steal data from the environment.
SnapCat listed a few attack vectors:
Getting direct access to the database, by guessing admin credentials, or by using an SQL injection
Tricking the server into giving access to data by exploiting an API bug
Attacking the application directly by infecting the libraries it uses like what happened here
Having SnapCat’s offices infiltrated by an undercover agent working for their #1 competitor, DogPix
While obviously simplified, these attack vectors are plausible examples of what one could for a cloud-based app. A real-life attack vector analysis could list hundreds of them.
The next step is, for each attack vector, to evaluate the impact of a successful attack.
Getting access to the database (by direct access or SQL injection) has the most potential impact, as the attacker would get access to all the world’s cat pics in one go.
Exploiting an API bug has less impact, as it would require more time to extract the same amount of data. Infecting the app’s libraries would have a similar impact.
Lastly, an office infiltration from DogPix would have little impact as the data is not stored in the offices. Foolish dogs!
Measuring the attack surface
Next, we want to evaluate the difficulty (or rather the relative easiness) of each attack. This is done by taking into account the existing checks and counter-measures for each attack vector.
To do so, SnapCat’s security expert analyzed every attack vector. Here are the results:
Their database uses default credentials. This makes getting access to it very easy.
SQL injections and API bugs are more difficult to exploit, and the current development practices as SnapCat ensure a pretty good defense against these attacks.
Infecting dependencies to target a specific application is very hard.
Finally, infiltrating SnapCat’s offices would be very difficult for an undercover dog.
With this work done, we can graph SnapCat’s attack surface:
Reducing attack surface
SnapCat now has a clear view of the risks their application incurs and their respective impacts. It is time for action. The goal is to reduce the attack surface as much as possible.
There are two ways to reduce the attack surface for each attack vector: either make the attack more difficult or reduce its impact.
Most of the time, making attacks more difficult is the result of following good security practices . Reducing the impact of attacks can be done by reducing the amount of data stored, storing parts of the data in separate locations or encrypting it.
The first step for SnapCat is to change the database credentials and implement a better password policy to make guessing important credentials more difficult.
As we can see, this already reduces the “database access” attack surface quite a bit, but to drastically reduce the impact of every possible attack, SnapCat chooses to encrypt all cat pictures on their users’ devices, before they even reach the server. To do that, they start using Tanker.
This ensures the strongest data protection possible, making any database or server attack pretty much useless. Every single cat picture is independently encrypted with its own key, and only the sender and the recipient can decrypt it.
As a result, SnapCat’s updated attack surface now looks like this:
SnapCat’s team can now focus all of their energy on improving their awesome product. And maybe have a nap or two. 📦
Learn how you can integrate Tanker into your application at https://www.tanker.io.
PS: This article was originally written by Aloïs Jobard and published on Tanker’s Medium. As you might not be on Medium yourself, we've reproduced it here to give you a chance to see it in your notifications feed.
Top comments (1)
I love the way you put thing on so the attack surface and the impact is clear and easy to read. Very instructive.