In cybersecurity, new threats and vulnerabilities pop up almost every day. While vulnerabilities are still commonly discovered in old, well-known technologies, it seems common for new technologies to be riddled with problems. Modern technologies can introduce completely new attack surfaces due to the innovative ways in which they function. Rapidly evolving systems, such as AI, are great examples of how this can happen.
Understanding Threats To New Technologies
When trying to map out threats against new technologies, it is important to first dive in on what the normal usage of these technologies is. A strong understanding of what a new system does and how it works is essential for understanding how it can be hacked. In general, there are two main types of attacks against any system. One is an unintended vulnerability that arises through poor design or coding flaws, and the other is intended functionality that can be exploited and abused by an attacker.
Novel vulnerabilities through poor code or design are less common than functionality abuse. These vulnerabilities will typically fall into the category of older vulnerabilities, simply applied to a new technology. An example of this would be a new product that has poor input sanitization and is vulnerable to command injection as a result. There are some cases where entirely new vulnerabilities come into play. A great example of this is prompt injection against AI models. Special prompts can often get the AI to reveal sensitive information if there are no proper guard rails in place to prevent it from leaking data.
Intended functionality abuse can be pervasive since it can be difficult to predict how functionality could be leveraged by attackers. Many products, especially those used to interface with other products, can be used to further the goals of a malicious hacker. One example of this is Jenkins, a popular automation server. Hackers that can compromise a Jenkins server can use its intended functionality to run malicious code and perform malicious actions. By the nature of how Jenkins works, it will run at a very high privilege level, making this attack even more appealing.
Preventing Attacks Early
While it is impossible to say with absolute certainty that a product can be released without vulnerabilities, many steps can be taken early in the development process to reduce problems. Development cycles with proper DevSecOps can reduce coding flaws at the earliest stages. Remediating vulnerabilities early and often can prevent fixes down the road when they may be far more complex.
Regular SAST and DAST testing during the development cycle greatly reduces vulnerabilities in the finalized product. This will cover many of the vulnerabilities that would be grouped into the poor code or design categories. As part of this testing, it can be worth doing more in-depth manual code reviews as well. This will often spot more problems than only relying on automated tools. A lot of code problems can be through logic flaws that an automated scanner may not be able to reliably identify.
Once a finished product is available, comprehensive black and white box testing can spot vulnerabilities that come up from either complex logic flaws or intended functionality abuse. Hackers can be very creative with using the intended functionality for a certain technology. Security researchers need to match that level of creativity when mapping out the potential threats against a product.
There are a few different ways that this can be done. The initial phases of the security process involve scoping and threat modeling the technology. This can answer the question of what could happen. The next question to consider is how the threats could happen. This can be identified through thorough security testing. Test cases, and then compensating controls, can be developed for each identified threat.
As products evolve, so will the threats associated with them. Because of this, it is important to stay on top of security and regularly test any new products, especially when major changes are made. Bad hackers are constantly researching new technologies to find any vulnerabilities that have not yet been discovered. Fortunately, ethical hackers do the same. Ethical hackers and security researchers aim to understand these technologies and their flaws at a faster rate than the bad guys so that vulnerabilities can be fixed before attackers have a chance to abuse them
Blue Goat Cyber’s Security Testing
Blue Goat performs security testing on novel products and technologies to give you assurance that your product will be secured and safe. Our comprehensive methodology and years of experience allow us to fully map out what vulnerabilities could come up with a new product and work with your team to secure unique attack surfaces. Contact us to schedule a discovery session and begin securing your product.
