Welcome!

Blog Feed Post

Snapchat’s Unhappy New Year

Once More Into the Breach…

Less than a month after the Target credit card breach another significant data theft is in the news.  This week’s victim is Snapchat, the popular photo sharing social network.   Gibson Security announced the weakness, with some solid technical analysis of the API’s problems.  The New York Times has some good mainstream coverage, as do other news outlets.

The irony of this situation is that Snapchat’s brand promise was all about security and privacy.  Ephemeral photos could capture a moment without permanently tarnishing one’s reputation.  Regardless of how well they delivered on that core feature, poor custodianship of other customer data will leave many users wondering how well the app will deliver on privacy where it matters.  One indiscretion may well permanently tarnish Snapchat’s reputation.

Why Does This Keep Happening?

One key quote from the New York Times article illustrates a problem common in API implementation:

In an email, one researcher said the data was not being encrypted or “hashed” to make it difficult for hackers to piece together. “They hadn’t even implemented rate limiting,” the research said.

Why is this common?  I think there are two reasons.  First, things like rate limiting aren’t perceived as adding value.  They’re not something that gives your company an edge.  So they’re not the first thing you’re going to implement, even if they do add value (security) to your application or service.  Second, high traffic volume is a good problem to have.  And with a solid DevOps team, there may be valid reasons to avoid throttling the overall service – for example you want to scale elastically to allow for the unfettered growth and popularity of your fledgling service, allowing you and your team to realize a billion dollar payout.  That payout may be at risk, however, if you don’t secure your service, and ultimately that’s why you need rate limiting — to protect against dictionary attacks, DDoS, or other malicious use of your service.

The same goes for encrypting or hashing.  Implementing these things takes time, and adds complexity to the logic tier.  It can also make an app harder to debug, as developers can no longer talk directly to the DB tier of the application to make sense of what’s happening — additional tools are needed.  And finally, depending on when the hashing or encryption is implemented, it could also break other pieces of the application — for example if the developers had decided that it was worth their time to do formatting checks on phone numbers to ensure that valid data was being persisted.

How to Prevent This?

This sort of thing is going to keep happening if the risk/cost of addressing it is perceived as being less than the cost to fix it.  Fortunately there are steps that can be taken to help mitigate the risk without adding significant development cost.  One such solution is to utilize a service gateway to handle API security.  Rather than reinventing the wheel with DDoS protection, Content Attack Prevention policies, and other security features, a development organization can implement standard, proven tools to deliver the same functionality.  As new threats need to be addressed, they can be added and managed centrally, avoiding the need to commit changes to multiple back-end services.

As for the encryption piece I mentioned earlier, Format-Preserving Encryption is a relatively new tool that protects data while allowing it to pass format consistency checks.  This allows data at rest to be encrypted which limits the impact should an attacker make it through the first lines of defense, but it avoids the need to recode the logic tier to accommodate new data formats.

Further Information

Securosis recently released a nice whitepaper that summarizes how API gateways can add security while enabling innovation.  I also did a webinar with the authors in October where we discussed this topic.  Stay tuned to this blog as well – we’ll continue to cover these events and best practices in API security as the year unfolds.

The post Snapchat’s Unhappy New Year appeared first on Application Security.

Read the original blog entry...

More Stories By Application Security

This blog references our expert posts on application and web services security.

Latest Stories
Join us at Cloud Expo June 6-8 to find out how to securely connect your cloud app to any cloud or on-premises data source – without complex firewall changes. More users are demanding access to on-premises data from their cloud applications. It’s no longer a “nice-to-have” but an important differentiator that drives competitive advantages. It’s the new “must have” in the hybrid era. Users want capabilities that give them a unified view of the data to get closer to customers and grow business. The...
The Internet giants are fully embracing AI. All the services they offer to their customers are aimed at drawing a map of the world with the data they get. The AIs from these companies are used to build disruptive approaches that cannot be used by established enterprises, which are threatened by these disruptions. However, most leaders underestimate the effect this will have on their businesses. In his session at 21st Cloud Expo, Rene Buest, Director Market Research & Technology Evangelism at Ara...
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
"Loom is applying artificial intelligence and machine learning into the entire log analysis process, from start to finish and at the end you will get a human touch,” explained Sabo Taylor Diab, Vice President, Marketing at Loom Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
After more than five years of DevOps, definitions are evolving, boundaries are expanding, ‘unicorns’ are no longer rare, enterprises are on board, and pundits are moving on. Can we now look at an evolution of DevOps? Should we? Is the foundation of DevOps ‘done’, or is there still too much left to do? What is mature, and what is still missing? What does the next 5 years of DevOps look like? In this Power Panel at DevOps Summit, moderated by DevOps Summit Conference Chair Andi Mann, panelists loo...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments i...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...
SYS-CON Events announced today that TMC has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo and Big Data at Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Global buyers rely on TMC’s content-driven marketplaces to make purchase decisions and navigate markets. Learn how we can help you reach your marketing goals.