Skip to main content
Sep 18, 2018

The App Is The Endpoint

Traditional Endpoint Security is dead, that is to say that hardening the laptop, desktop, or device is not a panacea. In reality today, everything is connected to the web in some form — whether it is your computer, phone or tablet — or your server, HVAC, POS system, front door, etc. Securing “endpoints” in the traditional sense is impossible. Many of the new connected devices on the market are not designed with operating systems or firmware capable of being patched on an ongoing basis, nor do organizations have the manpower to be constantly maintaining and updating... Every. Single. Endpoint. Plus, there are too many connection points and dependencies between device - application - API - network - server - 3rd party - etc - that could be compromised and turned into vulnerabilities.

From 2017-2018 there were over 53,000 reported cybersecurity incidents and 2,200 confirmed data breaches — 21% in which a web application was the vector of attack. What are they targeting? Payment card data, PII and intellectual property are all up for grabs — and attackers are motivated by any means necessary to steal what is most important to your organization.

The device is the problem. The app is the solution.

Today apps provide the broadest attack surface area because they are literally everywhere. The saying “there’s an app for that” has manifested in every component of modern day living — from the app that controls the systems in your car — to the app that is embedded in your pacemaker to deliver real-time medical data to your doctor — to the POS app in the coffee shop where you swipe your debit card. The world runs on apps, not on what have been traditionally considered endpoints. Think of it this way, you have may have one mobile phone, but how many apps are installed on that device? Each one is a potential attack vector for both your personal and business data.

It is time to re-think how to secure endpoints. If the device your application is running on is not properly secured, you are at risk. Even if your device is properly secured, your application might still be at risk to be tampered with or reverse engineered. So where do you start?

Trust nothing.

In today’s zero-trust world, you should start with the assumption that the device is already compromised, and then think about how to protect your critical data and your intellectual property.

Treat the app as the endpoint.

Applications contain a significant amount of information that could provide signposts for attackers to compromise your critical infrastructure, bypass security controls, or hand-deliver important data that lives inside the application on the device. It is critical to protect your application from being compromised or freely giving attackers your cryptographic keys, API endpoint references, payload formats, credentials, account information and more.

Close the loop.

Empower the application to assess its surroundings and identify risky behavior via app-centric telemetry. Once an app is released into the wild, it is impossible to know how it is being attacked or what information attackers are targeting without app threat analytics. Real-time app analytics can give you the confidence to protect your organization’s data and infrastructure by providing visibility into:

  1. the environment where your app lives
  2. the security posture of the app
  3. how and where the app is being attacked
  4. what to do to update protections so the app (and its underlying data and structure) is not compromised 

Beyond that, app threat analytics helps you to understand which devices, applications or users may be compromised so that you can better protect your other critical resources.

Don’t put your head in the sand.

Bad actors are constantly looking for new vulnerabilities to exploit within an organization’s infrastructure. It is a foregone conclusion that they WILL find a way in — they WILL find your weakest link. The question is: how quickly will you detect and remediate the threat?

As the demand for instant gratification for customers drives app developers to put more and more dynamic content and business critical data into the client side of apps to improve responsiveness and performance — the app as an attack vector will become a treasure trove for bad actors.

In the latest Market Guide for Application Shielding, Gartner advises: “security and risk management leaders must harden their application front ends to avoid turning them into an attack vector.” The risk for lost customer data, IP theft, brand damage or lost revenue is too great to ignore.

Learn how Arxan can help.

 

Chad McDonald

Chad McDonald is the VP of Customer Experience at Arxan. Chad brings more than 20 years experience building and managing information security programs, including more than eight years as the first chief information security officer (CISO) at Georgia College & State University. Chad is responsible for the success of Arxan customers, overseeing account management, support, professional services, information security and compliance. Prior to Arxan, Chad was executive director of the Office of the CISO at Optiv where he defined the security strategy for a $70 billion dollar merger between two technology giants. As director of professional services at Imperva Chad helped grow the services revenue by 400% during his tenure. Chad holds a bachelor’s degree in information technology from Southern Polytechnic State University, as well as multiple certifications including CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor) and PMP (Project Management Professional).

More from the Blog
Jul 25, 2018

Your App Security Risk Models Are Wrong

And That’s Why Feedback Is So Important Information security, especially application security, expresses its tenets and risk ...
Read more
Apr 02, 2018

Protecting Apps Is Not Enough: Why You Need Threat Analytics

Every app downloaded via an app store is running in a
Read more
Apr 02, 2018

How to Detect App Threats to Protect Your Business