Desktop App Security Should Be Treated The Same As Cloud Apps
As more traditional desktop applications are gaining Internet-interface or even the same software available in the cloud, how to treat it should no longer be different with cloud apps. Below are some of the most common weaknesses of apps, regardless of platform:
- Automated brute force attacks using known password lists
- Weak or well-known password permissions
- Storing passwords with plain text or weaker hashes than strong hashes
- No multi-factor authentication (MFA)
- Invalid session invalidation when logging out or after idle time
By implementing MFA (Multi-Factor Authentication) for an application, attackers will not be able to complete MFA steps in a timely and automated manner, helping to combat credential stuffing attacks and brute force attacks. For passwords, use a general password list to verify weak or well-known passwords, and use a strong hash algorithm to hash the user’s password. Never use weak hashes like MD5. Or never store your password in plain text. It is also a good practice to display a deliberately vague login failure message when a user enters an incorrect username or password. Otherwise, the attacker may be able to use it to trigger an attack and identify a valid account.
Some of the ways to prevent sensitive data from being stolen from an application include:
- Ensuring that web traffic is encrypted, sent over HTTPS with a valid SSL certificate, and updated when insecure connections are possible.
- Let’s Encrypt (letsencrypt.org) issues free SSL certificates to ensure web traffic is easy and secure
- Encrypt and sign browser cookies that contain sensitive information
- Delete sensitive data that is no longer needed
- Hash passwords using a strong hash algorithm
- Encrypt confidential data
Prevent SQL Injection vulnerability
Even with automatic database encryption technology, if a SQL injection attack is successful, the data must be read and encrypted because it must be encrypted at the database level. An encryption/decryption step that is performed as part of the core application logic helps prevent this.
If an application has the ability to distinguish users based on access privileges or permissions, it opens a broken access control vulnerability that can increase the permissions that an attacker should not have. Some examples include:
- Failed to prevent access to the “Members Only” page when the user is not logged in or does not have the appropriate rights to view the page
- Do not validate user-modifiable URL parameters (such as swapping a user ID from another user)
- Trust that the value of the cookie has not been changed when the value is used to determine the user’s role. By verifying both cookie encryption and signature, you gain confidence that the value has not changed.
It is important to verify and take care of user permissions. Don’t trust the input that the user can change when the user is doing what he can.
When it comes to mistakes with security configuration, the concerns include the following:
- Obsolete security patches on the host system
- Application framework security is not turned on or configured incorrectly
- The default account, password, and security key remain valid or unchanged
- Unused or default port, service remains enabled on the host system
- Detailed error page or directory listing remains on
It is important to ensure that the security patches on the host system running the application are updated with the latest and that the appropriate security features of the application framework are turned on. Another important thing in this area is to ensure that the private key of the third-party platform is committed and not uploaded to the source control provider, especially if the application is open source. These can be scanned by an attacker with an automated tool. We recommend storing these keys separately from the source code.
Persistent use of flawed software
Today’s software tends to use a lot of third-party components, so getting enthusiastic about the version of the components you use and keeping them up-to-date from the attacks that arise from vulnerability dependencies Is the most important thing to protect. Unfortunately, the number of dependencies given to application usage makes it difficult to identify and triage vulnerable components, whether directly or indirectly. This means that developers can’t finish their work and are completely unaware of their existence.
Monitoring and logging capability
The ability to detect violations, attack patterns, and user activity is a key property of system protection. Without sufficient logging and application monitoring, it can be difficult to determine how the system was breached, where it originated, where it was, and where there were holes in the application security strategy. If you don’t know where the hole is, you can’t fill it!