In the rush to develop Internet of Things (IoT) devices and software, security is often an afterthought. Princeton’s Center for Information Technology Policy notes that “more than 500,000 insecure, publicly accessible embedded networked devices” are connected to the Internet today, and that number is only expected to rise.
Why is this important for organizations to understand in the context of securing their web applications? Because as digital security expert Bruce Schneier maintains, as systems become more interconnected through the IoT, vulnerabilities in one system lead to attacks on others. IoT botnets which take aim at web and application servers are becoming an increasingly important threat vector.
‘Vulnerabilities on One System Cascade into Other Systems’
“Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing,” Schneier says in a recent blog post. “The Internet of Things will make exploitable vulnerabilities much more common. It's simple mathematics.”
“If 100 systems are all interacting with each other, that's about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that's 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging,” according to Schneier.
So with IoT software applications being trusted to securely manage functions relating to home security, medical devices, transportation, and much more, organizations must develop strategies to defend against the IoT botnet risk.
Critical to these strategies is the understanding that the most effective security protections result from security controls built into applications themselves, rather than the perimeter protections organizations relied on in the past (such as Web Application Firewalls). The fundamental integrity of your organization’s web apps and websites is at stake.
As TechCrunch noted in a recent report on IoT botnets, attackers are expected to ramp up the pressure by developing increasingly sophisticated methods for targeting vulnerable IoT devices, using them to stage even larger-scale attacks. More advanced protections will be needed to guard against this threat, including solutions that allow for highly accurate analysis of incoming traffic to web apps.
Mitigate Web App Threats as they Happen With RASP
Runtime Application Self-Protection (RASP) solutions provide a better way to do exactly that, blocking attacks on web apps as they happen. RASP runs on a server, continuously analyzing the behavior of apps once they begin to run, and automatically mitigating threats. RASP solutions intercept calls from the app along with validating data requests inside the app to head off malicious behaviors.
To learn more about RASP and to better understand the advantages it offers over traditional web app security solutions like WAFs, read our white paper, “Real-Time Application Security.”