How do you detect vulnerabilities in applications?

Security audits are essential to detect vulnerabilities in web and mobile applications before they are exploited. Just this February, the National Institute of Standards and Technology (NIST), a US federal agency, began investigating a critical vulnerability in the Binance Trust Wallet mobile app, which stores cryptocurrencies. If exploited, a malicious actor could gain access to the cryptocurrencies of the app’s users.

This recent case demonstrates that vulnerabilities in web or mobile applications pose one of the biggest threats faced by companies that develop applications and businesses and citizens who use them daily. What are application vulnerabilities? Weaknesses can compromise an application’s security in terms of confidentiality, integrity or availability of the information it manages.

Are all application vulnerabilities equally dangerous? No. That is why FIRST, a global forum comprising multiple security and incident response teams, has developed the CVSS. This indicator makes it possible to assess the severity of the discovered vulnerabilities. For example, also in February 2024, Zoom, a video calling application used all over the world, patched up to seven vulnerabilities in its software, although only one of them was critical, as it would allow a malicious actor to obtain elevated privileges.

In the following, we will analyse the most common application vulnerabilities, how they can be prevented, how they are detected and what needs to be done to manage them successfully.

Application vulnerabilities to watch out for

The OWASP Foundation, a global benchmark in the creation of guides and the dissemination of knowledge on cybersecurity, periodically analyses vulnerabilities in applications and draws up two rankings in which vulnerabilities in web and mobile applications are classified, respectively, taking into account their level of exploitability, as well as the technical and business impact if the vulnerability is successfully exploited.

Web vulnerabilities

OWASP’s Top 10 web application vulnerabilities, published in 2021, places at the top of the security risk podium:

1. Application access control flaws. To avoid them, assigning minimum privileges when defining authorisation controls is essential.
2. Cryptographic flaws. To prevent this vulnerability, communications must be carried out through an encrypted channel using robust and up-to-date cryptographic algorithms.
3. Weaknesses in software against injection attacks. Securely binding input parameters can mitigate this type of vulnerability.

Mobile apps vulnerabilities

At the start of 2024, the new version of OWASP’s Top 10 Mobile Application Vulnerabilities was released, which states that the three most critical security risks today are:

1. Misuse of credentials. OWASP recommends avoiding the use of hard-coded credentials in code, as well as securely using user credentials.
2. Poor supply chain security. This vulnerability can be circumvented by using a secure development model from design and using pre-validated libraries and components.
3. Insecure authentication and authorisation. It is, therefore, important not to use insecure design patterns and to reinforce authentication and authorisation controls.

Four tips to prevent application vulnerabilities

What about other application vulnerabilities? There are some general guidelines or tips that can be followed to avoid vulnerabilities that compromise the security of applications and the companies and users that use them:

1. Implementing secure application code development practices. In this sense, OWASP has produced a guide with good practices for secure coding that includes a checklist to facilitate the work of developers.
2. Taking into account the security of the application itself, but also that of each of the components that support it:
   • Infrastructure where it runs: server, operating system, databases, etc.
   • Third-party libraries and components are used to prevent supply chain attacks.
3. Performing security analysis by expert personnel.
4. Assuming that applications are constantly changing as a consequence of the updates that are implemented in them. This means that updates can introduce new vulnerabilities. To avoid this, security reviews must be part of the software lifecycle.

Essential cybersecurity services to detect application vulnerabilities

Security audits are essential to prevent the appearance of vulnerabilities in applications but also to detect them before malicious actors successfully exploit them:

1. Web security audit. This audit can detect vulnerabilities in web applications that could put the information managed by the applications and their infrastructure at risk.
2. Mobile application security audit. The execution of security tests makes it possible to identify weaknesses in mobile applications before malicious actors exploit them and cause security incidents in which mobile devices and the data they store are compromised.
3. IoT security audit. Professionals assess the security of IoT devices to detect vulnerabilities in their operating system components, flaws in the device’s data flow or weaknesses in its architecture.
4. Hardware hacking security audit. This analysis is carried out on devices with physical access (mobiles, laptops, tablets, IoT, etc.) to identify security flaws in their entry points: exposed physical ports, communications with other devices via Bluetooth or WiFi, etc.

Is automation of vulnerability detection possible?

Detecting multiple types of vulnerabilities in web and mobile applications can be automated if the proper set of tools is available and adapted to every application.

However, many vulnerabilities cannot be identified automatically. In these cases, a more thorough manual analysis that considers the application’s business logic and information flows is necessary.

Therefore, vulnerability management teams employ automated scanning solutions to continuously, agilely, and efficiently detect vulnerabilities. At the same time, they carry out more complex and specific analyses thanks to the knowledge and experience accumulated by cybersecurity professionals.

Tools are also used to:

• Perform attack simulations to detect vulnerabilities exploitable by malicious actors and evaluate multiple compromise paths.
• Perform automated code analysis.

Combining both approaches is the key to identifying the most significant number of vulnerabilities.

Application vulnerability management and mitigation

The vulnerability management service is critical to assess, prioritise and mitigate vulnerabilities in web and mobile applications once detected. Thus, the professionals in charge of vulnerability management proceed to:

• Inventory the set of vulnerabilities present in an application.
• Carry out a prioritisation to solve them based on parameters such as:
  • CVSS.
  • EPSS is an indicator that quantifies the probability of a vulnerability being exploited in the next 30 days.
  • The importance of the business of the asset is affected by the vulnerability.
• Carrying out vulnerability reports that include essential information to undertake the remediation of vulnerabilities, such as code samples, guidelines, or infrastructure configuration guidelines.

In short, to detect application vulnerabilities, it is essential to carry out security audits on an ongoing basis and throughout the entire lifecycle of the applications, also evaluating the third-party components they use.

A critical vulnerability in a web application or mobile app can cause millions of dollars in losses and legal and reputational consequences for the company that developed it. It can also affect citizens and companies that use the application, such as the theft of confidential information or the paralysis of business activity.

Detecting vulnerabilities in applications in time is critical to avoid security incidents.