What are client applications?
A good cybersecurity strategy comprises various levels, with a key task being the implementation of security analyses to identify potential attack surfaces – especially those hidden in client (rich client, thick client or fat client) applications waiting to be discovered. Client applications are software that runs on a device connected to a network and works with or without a network connection, such as your web browser or word processor.
The complexity of client applications is often underestimated although they offer cybercriminals various points of attack: bypassing authentication and authorization measures, accessing and/or modifying data and in a worst-case scenario taking over entire systems. Employees within enterprises use client applications on daily basis to do their job. Some of these applications might have been written in-house, while others are developed and maintained by third parties. In most cases, they are not subject to any kind of public scrutiny, which means that potential vulnerabilities remain under the radar and it takes a security analysis or a security incident to discover them, whichever comes first!
When to conduct a security analysis of the client applications?
In an early stage of development and/or when the source code is available, it is best to conduct a security code review. Code reviews allow an in-depth analysis and understanding of the client application, which a black box test scenario cannot always guarantee. Sometimes the code is proprietary, meaning it can only be used on a manufacturer’s own computer model, or the development of the applications dates back many years. Perhaps the source code is no longer available. Or the costs of a code review are simply beyond the budget. That is when a security analysis of the client application is the preferred option.
Recognizing risk: Where do cybercriminals attack?
Attackers usually target the weakest link in a chain – in-house developed client applications. The reason behind that is simple: these applications are usually developed by small teams, or in a worst case, by a single developer. Small budgets unfortunately mean that security is not given enough priority. Next, attackers look for applications developed exclusively for the target enterprise. As a last resort, attackers turn to the last class of client applications: programs for corporate and home users, such as Microsoft Office applications, Adobe Acrobat, web browsers, etc. Since these usually go through extensive testing and are available to anyone, vulnerabilities are very hard to uncover. But if a vulnerability is found, it usually entails a very high risk.
Companies of all sizes may be affected by vulnerabilities in client applications. Experts from TÜV Rheinland recently discovered a security vulnerability in an IBM product that allows a local attacker to extend their privileges to the maximum level, giving them full control over the attacked system. The vulnerability affecting IBM’s end customers has been assigned the CVE ID (CVE-2021-20532).
How does the security analysis of client applications work?
For a sound security analysis, TÜV Rheinland first collects information on the application as a “normal user”. Next, the testers of TÜV Rheinland attempt to identify as many vulnerabilities as possible that have a negative impact on the overall security of the application, the underlying operating system and other applications. Manual and semi-automatic tests are used to systematically detect security vulnerabilities that could be exploited for attacks.
What is typically tested?
Authentication and access controls.
Secure communication protocols.
Credential management and information disclosure.
Why TÜV Rheinland?
Cybersecurity is a serious and complex issue. Testing client applications requires a solid understanding of how an application works. Different programming languages, frameworks and operating systems also provide attackers with different attack surfaces. Detecting logic errors and design failures to exploit a difficult-to-identify vulnerability is something that requires a keen eye of an experienced tester. Our security analysts are experienced programmers with a great passion for finding exotic vulnerabilities. This is exactly what puts TÜV Rheinland ahead of the competition.
senior security analyst
Field testing a hydrogen car for a day
Industrial Applications and Safety