Welcome!

Blog Feed Post

Snapchat’s Unhappy New Year

Once More Into the Breach…

Less than a month after the Target credit card breach another significant data theft is in the news.  This week’s victim is Snapchat, the popular photo sharing social network.   Gibson Security announced the weakness, with some solid technical analysis of the API’s problems.  The New York Times has some good mainstream coverage, as do other news outlets.

The irony of this situation is that Snapchat’s brand promise was all about security and privacy.  Ephemeral photos could capture a moment without permanently tarnishing one’s reputation.  Regardless of how well they delivered on that core feature, poor custodianship of other customer data will leave many users wondering how well the app will deliver on privacy where it matters.  One indiscretion may well permanently tarnish Snapchat’s reputation.

Why Does This Keep Happening?

One key quote from the New York Times article illustrates a problem common in API implementation:

In an email, one researcher said the data was not being encrypted or “hashed” to make it difficult for hackers to piece together. “They hadn’t even implemented rate limiting,” the research said.

Why is this common?  I think there are two reasons.  First, things like rate limiting aren’t perceived as adding value.  They’re not something that gives your company an edge.  So they’re not the first thing you’re going to implement, even if they do add value (security) to your application or service.  Second, high traffic volume is a good problem to have.  And with a solid DevOps team, there may be valid reasons to avoid throttling the overall service – for example you want to scale elastically to allow for the unfettered growth and popularity of your fledgling service, allowing you and your team to realize a billion dollar payout.  That payout may be at risk, however, if you don’t secure your service, and ultimately that’s why you need rate limiting — to protect against dictionary attacks, DDoS, or other malicious use of your service.

The same goes for encrypting or hashing.  Implementing these things takes time, and adds complexity to the logic tier.  It can also make an app harder to debug, as developers can no longer talk directly to the DB tier of the application to make sense of what’s happening — additional tools are needed.  And finally, depending on when the hashing or encryption is implemented, it could also break other pieces of the application — for example if the developers had decided that it was worth their time to do formatting checks on phone numbers to ensure that valid data was being persisted.

How to Prevent This?

This sort of thing is going to keep happening if the risk/cost of addressing it is perceived as being less than the cost to fix it.  Fortunately there are steps that can be taken to help mitigate the risk without adding significant development cost.  One such solution is to utilize a service gateway to handle API security.  Rather than reinventing the wheel with DDoS protection, Content Attack Prevention policies, and other security features, a development organization can implement standard, proven tools to deliver the same functionality.  As new threats need to be addressed, they can be added and managed centrally, avoiding the need to commit changes to multiple back-end services.

As for the encryption piece I mentioned earlier, Format-Preserving Encryption is a relatively new tool that protects data while allowing it to pass format consistency checks.  This allows data at rest to be encrypted which limits the impact should an attacker make it through the first lines of defense, but it avoids the need to recode the logic tier to accommodate new data formats.

Further Information

Securosis recently released a nice whitepaper that summarizes how API gateways can add security while enabling innovation.  I also did a webinar with the authors in October where we discussed this topic.  Stay tuned to this blog as well – we’ll continue to cover these events and best practices in API security as the year unfolds.

The post Snapchat’s Unhappy New Year appeared first on Application Security.

Read the original blog entry...

More Stories By Application Security

This blog references our expert posts on application and web services security.

Latest Stories
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that's no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, explored how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He expla...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With technology insights and real-world examples, in his general session at @DevOpsSummit, at 21st Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, explored how leading organizations use data-driven DevOps to close th...
Digital Transformation (DX) is not a "one-size-fits all" strategy. Each organization needs to develop its own unique, long-term DX plan. It must do so by realizing that we now live in a data-driven age, and that technologies such as Cloud Computing, Big Data, the IoT, Cognitive Computing, and Blockchain are only tools. In her general session at 21st Cloud Expo, Rebecca Wanta explained how the strategy must focus on DX and include a commitment from top management to create great IT jobs, monitor ...
"WineSOFT is a software company making proxy server software, which is widely used in the telecommunication industry or the content delivery networks or e-commerce," explained Jonathan Ahn, COO of WineSOFT, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.