Right now the favorite hacker target of the moment is the Web application, largely because it's the most efficient way to target large numbers of end users that are all invoking a common set of technologies such as Adobe Flash.
But it's only a matter of time before Web application security defenses get better, and hackers find more efficient ways to target IT processes that are closely tied to revenue generation activities. Speaking this week at the Black Hat Conference in Barcelona, Raf Los, Web application security evangelist for Hewlett-Packard Software says what that really means is that in the next few years the security community should assume that the next major target for hackers is going to be the business logic that underpins most of our applications.
While that will certainly represent a more difficult task than attacking vulnerable technologies such as Flash, business logic also represents where the money is. And as the famous bank robber Willie Sutton once said when asked why he robs banks: "Because that's where the money is." Los suspects that sophisticated hackers are already targeting flaws in the way business logic is constructed to perpetrate a fraud. They just do it in small enough instances as to not get on everyone's radar screens, or target financial institutions that don't want to readily advertise that their applications have been compromised.
But Los says it's only a matter of time before hackers find ways to start automating attacks on business logic in much the same way that botnets today attack Web applications. After all, a lot of the underlying business logic in many applications replicates the same processes over and over again. So once you identify a pattern, it's more than likely that the same business logic flaw exists in hundreds of applications.
Los says it will be a few years before hackers really start to understand the vulnerabilities in business logic. That should give IT organizations a few years to examine how their business logic might be exploited by cyber criminals looking for the next big attack to exploit. Of course, developers and security experts can debate all day long what constitutes a design flaw versus a security vulnerability. But at the end the day, whatever you want to call the issue still needs to be addressed.