Coders Conquer Security: Share & Learn Series - Insufficient Transport Layer Protection
Even if you have completely secured an application server and the backend systems it uses, communications might still be vulnerable to snooping if you have insufficient transport layer protection. In the physical world, the reason that hard currency is moved around using armored cars is to provide protection while it's in transit. It really doesn't matter how secure a store or a bank is if the money it generates is being loaded into a golf cart for a drive across town.
The same can be said of transport layers in the cyber realm. Even if an application is secure, there is still a critical vulnerability if the information coming into it is sent with no protection. And there is a second vulnerability with some apps if they additionally send information to other servers or a database. That information might be exposed to insiders who have no business snooping those transactions.
To fully protect users and data requires protecting the transport layer. Only by doing that can you fully secure an entire transaction from end to end.
In this episode, we will learn:
- How hackers can exploit insufficient transport layer protection
- Why not protecting the transport layer is so dangerous
- What can be done to secure the transport of all data moving into and through an application or server.
How do Attackers Exploit Insufficient Transport Layer Protection?
Insufficient transport layer protection can enable attacks at two points within your data stream. The most commonly exploited spot sits between a user and the application server. If information is sent in the clear, or with weak encryption, then hackers will be able to monitor, steal and possibly change that information. This might allow hackers to steal a user's credit card, their login credentials or anything else sent into the application server. Even if the server itself is secure, a hacker monitoring the unsecure channel between it and users could get nearly unrestricted access to a lot of information.
The second point which is often left unprotected is the transport layer between an application and the rest of the network. For example, an application server might process online shopping orders and then send them on to a fulfillment system, or data might simply be offloaded to a database for storage. If those internal channels are unprotected, inside users might be able to see that information.
While it's nice to believe that all internal users are good people, the fact is that insider threats are on the rise in a lot of industries. Insiders have been caught taking bribes in return for collecting sensitive information for attackers or competitors. And having access to something like thousands of valid credit cards might simply be too tempting for some people to ignore.
In terms of attack techniques, it's not very difficult to intercept unprotected communications. Even low level hackers know how to perform man-in-the-middle attacks against unencrypted data streams. If they don't, there are videos online that can train them in less than half an hour.
Why are Insufficient Transport Layer Protection Vulnerabilities so Dangerous?
Having insufficient or nonexistent protection on transport layers is dangerous because it makes it extremely easy for hackers to gather sensitive information. They don't have to break into your app server or hack your network. They simply set up a man in the middle attack and read everything being sent into a server from users. This can include usernames and passwords which can be used to bypass security in the future using valid credentials. Depending on the application, this might also include credit card information or other personal data about users.
And it's important to note that all of this snooping is taking place outside of your network. If you are using insecure transport channels, there is no way to know if someone is capturing that information. Normally the first sign is when lots of users begin reporting compromised accounts or credit card purchases, and the common factor is your application " not a good spot to be in. Hackers can also modify information once they have it, changing the delivery address for example, or even inserting malicious scripts into the server response before passing it along to users.
On the backend, failure to secure the transport layer exposes data to insiders. It's probably a lot less likely that an insider is snooping the transport layer compared to hackers from the outside doing the same thing. But its also more dangerous if it happens, because the insider threat will be able to see not only the user data, but also any proprietary information added by the app server before sending those packets along.
Eliminating Insufficient Transport Layer Protection Vulnerabilities
As dangerous as insufficient transport layer protection can be, it's also not incredibly difficult to properly secure all of your transport channels. It starts with the backend infrastructure. This should be exclusively HTTPS, be sure not to mix HTTPS and HTTP on a site. Finally, maintain a valid SSL certificate with a minimum key size of 2048 bits while forcing all users to interact using secured browsers with HTTP Strict Transport Security (HSTS).
Once the infrastructure is in place, developers should use a strong protocol to protect the transport layer. Ideally TLS 1.2 should be used, though TLS 1.1 and 1.0 are also acceptable if absolutely necessary. Once that is in place, weak protocols like SSLv2 should be completely disabled and never supported.
Care should also be taken to ensure that cryptographic ciphers are sufficiently powerful on the backend. Ideally, the minimum session key size should be 128 bits. Like with protocols, support for weak cryptographic algorithms such as DES and RC4-40 should be disabled. And finally, don't consider an application truly secure until both the server itself and all the data paths leading into and out of it are sufficiently protected.
More Information about Insufficient Transport Layer Protection Vulnerabilities
For further reading, you can take a look at the OWASP guide to protecting transport layers. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Even if you have completely secured an application server and the backend systems it uses, communications might still be vulnerable to snooping if you have insufficient transport layer protection.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Even if you have completely secured an application server and the backend systems it uses, communications might still be vulnerable to snooping if you have insufficient transport layer protection. In the physical world, the reason that hard currency is moved around using armored cars is to provide protection while it's in transit. It really doesn't matter how secure a store or a bank is if the money it generates is being loaded into a golf cart for a drive across town.
The same can be said of transport layers in the cyber realm. Even if an application is secure, there is still a critical vulnerability if the information coming into it is sent with no protection. And there is a second vulnerability with some apps if they additionally send information to other servers or a database. That information might be exposed to insiders who have no business snooping those transactions.
To fully protect users and data requires protecting the transport layer. Only by doing that can you fully secure an entire transaction from end to end.
In this episode, we will learn:
- How hackers can exploit insufficient transport layer protection
- Why not protecting the transport layer is so dangerous
- What can be done to secure the transport of all data moving into and through an application or server.
How do Attackers Exploit Insufficient Transport Layer Protection?
Insufficient transport layer protection can enable attacks at two points within your data stream. The most commonly exploited spot sits between a user and the application server. If information is sent in the clear, or with weak encryption, then hackers will be able to monitor, steal and possibly change that information. This might allow hackers to steal a user's credit card, their login credentials or anything else sent into the application server. Even if the server itself is secure, a hacker monitoring the unsecure channel between it and users could get nearly unrestricted access to a lot of information.
The second point which is often left unprotected is the transport layer between an application and the rest of the network. For example, an application server might process online shopping orders and then send them on to a fulfillment system, or data might simply be offloaded to a database for storage. If those internal channels are unprotected, inside users might be able to see that information.
While it's nice to believe that all internal users are good people, the fact is that insider threats are on the rise in a lot of industries. Insiders have been caught taking bribes in return for collecting sensitive information for attackers or competitors. And having access to something like thousands of valid credit cards might simply be too tempting for some people to ignore.
In terms of attack techniques, it's not very difficult to intercept unprotected communications. Even low level hackers know how to perform man-in-the-middle attacks against unencrypted data streams. If they don't, there are videos online that can train them in less than half an hour.
Why are Insufficient Transport Layer Protection Vulnerabilities so Dangerous?
Having insufficient or nonexistent protection on transport layers is dangerous because it makes it extremely easy for hackers to gather sensitive information. They don't have to break into your app server or hack your network. They simply set up a man in the middle attack and read everything being sent into a server from users. This can include usernames and passwords which can be used to bypass security in the future using valid credentials. Depending on the application, this might also include credit card information or other personal data about users.
And it's important to note that all of this snooping is taking place outside of your network. If you are using insecure transport channels, there is no way to know if someone is capturing that information. Normally the first sign is when lots of users begin reporting compromised accounts or credit card purchases, and the common factor is your application " not a good spot to be in. Hackers can also modify information once they have it, changing the delivery address for example, or even inserting malicious scripts into the server response before passing it along to users.
On the backend, failure to secure the transport layer exposes data to insiders. It's probably a lot less likely that an insider is snooping the transport layer compared to hackers from the outside doing the same thing. But its also more dangerous if it happens, because the insider threat will be able to see not only the user data, but also any proprietary information added by the app server before sending those packets along.
Eliminating Insufficient Transport Layer Protection Vulnerabilities
As dangerous as insufficient transport layer protection can be, it's also not incredibly difficult to properly secure all of your transport channels. It starts with the backend infrastructure. This should be exclusively HTTPS, be sure not to mix HTTPS and HTTP on a site. Finally, maintain a valid SSL certificate with a minimum key size of 2048 bits while forcing all users to interact using secured browsers with HTTP Strict Transport Security (HSTS).
Once the infrastructure is in place, developers should use a strong protocol to protect the transport layer. Ideally TLS 1.2 should be used, though TLS 1.1 and 1.0 are also acceptable if absolutely necessary. Once that is in place, weak protocols like SSLv2 should be completely disabled and never supported.
Care should also be taken to ensure that cryptographic ciphers are sufficiently powerful on the backend. Ideally, the minimum session key size should be 128 bits. Like with protocols, support for weak cryptographic algorithms such as DES and RC4-40 should be disabled. And finally, don't consider an application truly secure until both the server itself and all the data paths leading into and out of it are sufficiently protected.
More Information about Insufficient Transport Layer Protection Vulnerabilities
For further reading, you can take a look at the OWASP guide to protecting transport layers. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Even if you have completely secured an application server and the backend systems it uses, communications might still be vulnerable to snooping if you have insufficient transport layer protection. In the physical world, the reason that hard currency is moved around using armored cars is to provide protection while it's in transit. It really doesn't matter how secure a store or a bank is if the money it generates is being loaded into a golf cart for a drive across town.
The same can be said of transport layers in the cyber realm. Even if an application is secure, there is still a critical vulnerability if the information coming into it is sent with no protection. And there is a second vulnerability with some apps if they additionally send information to other servers or a database. That information might be exposed to insiders who have no business snooping those transactions.
To fully protect users and data requires protecting the transport layer. Only by doing that can you fully secure an entire transaction from end to end.
In this episode, we will learn:
- How hackers can exploit insufficient transport layer protection
- Why not protecting the transport layer is so dangerous
- What can be done to secure the transport of all data moving into and through an application or server.
How do Attackers Exploit Insufficient Transport Layer Protection?
Insufficient transport layer protection can enable attacks at two points within your data stream. The most commonly exploited spot sits between a user and the application server. If information is sent in the clear, or with weak encryption, then hackers will be able to monitor, steal and possibly change that information. This might allow hackers to steal a user's credit card, their login credentials or anything else sent into the application server. Even if the server itself is secure, a hacker monitoring the unsecure channel between it and users could get nearly unrestricted access to a lot of information.
The second point which is often left unprotected is the transport layer between an application and the rest of the network. For example, an application server might process online shopping orders and then send them on to a fulfillment system, or data might simply be offloaded to a database for storage. If those internal channels are unprotected, inside users might be able to see that information.
While it's nice to believe that all internal users are good people, the fact is that insider threats are on the rise in a lot of industries. Insiders have been caught taking bribes in return for collecting sensitive information for attackers or competitors. And having access to something like thousands of valid credit cards might simply be too tempting for some people to ignore.
In terms of attack techniques, it's not very difficult to intercept unprotected communications. Even low level hackers know how to perform man-in-the-middle attacks against unencrypted data streams. If they don't, there are videos online that can train them in less than half an hour.
Why are Insufficient Transport Layer Protection Vulnerabilities so Dangerous?
Having insufficient or nonexistent protection on transport layers is dangerous because it makes it extremely easy for hackers to gather sensitive information. They don't have to break into your app server or hack your network. They simply set up a man in the middle attack and read everything being sent into a server from users. This can include usernames and passwords which can be used to bypass security in the future using valid credentials. Depending on the application, this might also include credit card information or other personal data about users.
And it's important to note that all of this snooping is taking place outside of your network. If you are using insecure transport channels, there is no way to know if someone is capturing that information. Normally the first sign is when lots of users begin reporting compromised accounts or credit card purchases, and the common factor is your application " not a good spot to be in. Hackers can also modify information once they have it, changing the delivery address for example, or even inserting malicious scripts into the server response before passing it along to users.
On the backend, failure to secure the transport layer exposes data to insiders. It's probably a lot less likely that an insider is snooping the transport layer compared to hackers from the outside doing the same thing. But its also more dangerous if it happens, because the insider threat will be able to see not only the user data, but also any proprietary information added by the app server before sending those packets along.
Eliminating Insufficient Transport Layer Protection Vulnerabilities
As dangerous as insufficient transport layer protection can be, it's also not incredibly difficult to properly secure all of your transport channels. It starts with the backend infrastructure. This should be exclusively HTTPS, be sure not to mix HTTPS and HTTP on a site. Finally, maintain a valid SSL certificate with a minimum key size of 2048 bits while forcing all users to interact using secured browsers with HTTP Strict Transport Security (HSTS).
Once the infrastructure is in place, developers should use a strong protocol to protect the transport layer. Ideally TLS 1.2 should be used, though TLS 1.1 and 1.0 are also acceptable if absolutely necessary. Once that is in place, weak protocols like SSLv2 should be completely disabled and never supported.
Care should also be taken to ensure that cryptographic ciphers are sufficiently powerful on the backend. Ideally, the minimum session key size should be 128 bits. Like with protocols, support for weak cryptographic algorithms such as DES and RC4-40 should be disabled. And finally, don't consider an application truly secure until both the server itself and all the data paths leading into and out of it are sufficiently protected.
More Information about Insufficient Transport Layer Protection Vulnerabilities
For further reading, you can take a look at the OWASP guide to protecting transport layers. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Even if you have completely secured an application server and the backend systems it uses, communications might still be vulnerable to snooping if you have insufficient transport layer protection. In the physical world, the reason that hard currency is moved around using armored cars is to provide protection while it's in transit. It really doesn't matter how secure a store or a bank is if the money it generates is being loaded into a golf cart for a drive across town.
The same can be said of transport layers in the cyber realm. Even if an application is secure, there is still a critical vulnerability if the information coming into it is sent with no protection. And there is a second vulnerability with some apps if they additionally send information to other servers or a database. That information might be exposed to insiders who have no business snooping those transactions.
To fully protect users and data requires protecting the transport layer. Only by doing that can you fully secure an entire transaction from end to end.
In this episode, we will learn:
- How hackers can exploit insufficient transport layer protection
- Why not protecting the transport layer is so dangerous
- What can be done to secure the transport of all data moving into and through an application or server.
How do Attackers Exploit Insufficient Transport Layer Protection?
Insufficient transport layer protection can enable attacks at two points within your data stream. The most commonly exploited spot sits between a user and the application server. If information is sent in the clear, or with weak encryption, then hackers will be able to monitor, steal and possibly change that information. This might allow hackers to steal a user's credit card, their login credentials or anything else sent into the application server. Even if the server itself is secure, a hacker monitoring the unsecure channel between it and users could get nearly unrestricted access to a lot of information.
The second point which is often left unprotected is the transport layer between an application and the rest of the network. For example, an application server might process online shopping orders and then send them on to a fulfillment system, or data might simply be offloaded to a database for storage. If those internal channels are unprotected, inside users might be able to see that information.
While it's nice to believe that all internal users are good people, the fact is that insider threats are on the rise in a lot of industries. Insiders have been caught taking bribes in return for collecting sensitive information for attackers or competitors. And having access to something like thousands of valid credit cards might simply be too tempting for some people to ignore.
In terms of attack techniques, it's not very difficult to intercept unprotected communications. Even low level hackers know how to perform man-in-the-middle attacks against unencrypted data streams. If they don't, there are videos online that can train them in less than half an hour.
Why are Insufficient Transport Layer Protection Vulnerabilities so Dangerous?
Having insufficient or nonexistent protection on transport layers is dangerous because it makes it extremely easy for hackers to gather sensitive information. They don't have to break into your app server or hack your network. They simply set up a man in the middle attack and read everything being sent into a server from users. This can include usernames and passwords which can be used to bypass security in the future using valid credentials. Depending on the application, this might also include credit card information or other personal data about users.
And it's important to note that all of this snooping is taking place outside of your network. If you are using insecure transport channels, there is no way to know if someone is capturing that information. Normally the first sign is when lots of users begin reporting compromised accounts or credit card purchases, and the common factor is your application " not a good spot to be in. Hackers can also modify information once they have it, changing the delivery address for example, or even inserting malicious scripts into the server response before passing it along to users.
On the backend, failure to secure the transport layer exposes data to insiders. It's probably a lot less likely that an insider is snooping the transport layer compared to hackers from the outside doing the same thing. But its also more dangerous if it happens, because the insider threat will be able to see not only the user data, but also any proprietary information added by the app server before sending those packets along.
Eliminating Insufficient Transport Layer Protection Vulnerabilities
As dangerous as insufficient transport layer protection can be, it's also not incredibly difficult to properly secure all of your transport channels. It starts with the backend infrastructure. This should be exclusively HTTPS, be sure not to mix HTTPS and HTTP on a site. Finally, maintain a valid SSL certificate with a minimum key size of 2048 bits while forcing all users to interact using secured browsers with HTTP Strict Transport Security (HSTS).
Once the infrastructure is in place, developers should use a strong protocol to protect the transport layer. Ideally TLS 1.2 should be used, though TLS 1.1 and 1.0 are also acceptable if absolutely necessary. Once that is in place, weak protocols like SSLv2 should be completely disabled and never supported.
Care should also be taken to ensure that cryptographic ciphers are sufficiently powerful on the backend. Ideally, the minimum session key size should be 128 bits. Like with protocols, support for weak cryptographic algorithms such as DES and RC4-40 should be disabled. And finally, don't consider an application truly secure until both the server itself and all the data paths leading into and out of it are sufficiently protected.
More Information about Insufficient Transport Layer Protection Vulnerabilities
For further reading, you can take a look at the OWASP guide to protecting transport layers. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
