Legislative pressure continues to mount against TikTok as government leaders contend with application security risks tied to the Chinese-owned social media app. So far, the White House, U.S. armed forces, Congress and more than half of U.S. states have banned TikTok on government devices. As these efforts play out, the case should serve as a broad reminder that all apps must be carefully scanned for security vulnerabilities if they are allowed to run on government devices.
Government IT leaders are finding their own systems particularly vulnerable to application security risk due to an overreliance on legacy applications that may not offer a layered defense. Let’s examine some lessons and takeaways from the TikTok controversy that agencies can apply for better vulnerability scanning and AppSec across the government IT landscape.
Clarifying the threat
TikTok is a global phenomenon that remains hugely popular in America, with over 100 million users in the U.S. Until the recent rollout of government bans and restrictions, many of these users were running TikTok freely on government-connected devices. As with many apps, data is collected by the application developer, which means Chinese-owned parent company, ByteDance, could be collecting browsing history, location, email address, phone number or age data for millions of U.S. users. This has prompted concerns that this information is also being shared with the Chinese government, which could leverage the app to potentially push highly-targeted misinformation and advertisements to users.
In addition, Microsoft announced last year that it had discovered a one-click account hijacking vulnerability that allows hackers to publicize private videos, send messages and upload content on behalf of TikTok users. This cross-site scripting (XSS) attack is just one of several vulnerabilities that has plagued TikTok and opened the door to sensitive data disclosure, session hijacking, redirection to malicious sites, malware installation and social engineering attacks.
While the current regulatory and legislative efforts are directed specifically at TikTok, the vulnerabilities uncovered have much wider implications beyond the particular app. There are broader AppSec takeaways for ensuring stronger vulnerability scanning and security across an agency’s entire application environment of legacy services, mobile devices and other endpoints.
4 key takeaways
Like most other systems, government systems and devices are vulnerable to AppSec risks like those found in TikTok. Invicti’s recent research showed 86% of federal cybersecurity leaders experienced breach activity tied to a web application during a recent 12 month period. Better scanning is the answer to finding and closing more vulnerabilities. Here are four key takeaways from the TikTok controversy to guide government IT leaders in building a stronger AppSec scanning approach.
Protect both legacy systems and mobile applications – TikTok-style vulnerabilities can affect both legacy infrastructure and mobile apps in government. Legacy patching often lags due to inherent constraints of legacy software patches not being available. Mobile apps, meanwhile, often launch quickly and may contain security gaps, and the BYOD era multiplies the range of potentially vulnerable devices. Application security scanning must be scalable and comprehensive across all these apps.
Prioritize APIs as a major focus of attack and defense – APIs use the same language and technologies as web applications, but they are discreet endpoints that basic security scans often miss. This leaves APIs open to easy exploitation by malicious actors. The AppSec scanning solution must understand the unique logic and behaviors of APIs in order to effectively scan for vulnerabilities and protect government systems.
Ensure least privileged access for devices – Least privileged access or zero trust isn’t just for people, it’s also for apps and APIs. Most applications request more permissions than they actually need. Make sure to limit such permissions, and configure scans to catch unauthorized access to cameras, microphones, wifi, bluetooth, contacts and other functions.
Monitor and limit remote connections – Applications often make hidden connections to services such as packet sniffers, analytics engines, and performance tuners that may be extraneous or unnecessary. The scanning solution must be configured to look at all connections, both obvious and hidden, to guard against risk from excessive connections to potentially insecure networks.
These are just some of the chief AppSec scanning takeaways for government IT. Others include scanning at the granular level to ensure no credentials, API keys or other sensitive information are accidentally embedded in the application code itself. And automations may be needed to address challenges of scale involving larger application deployments, especially those that utilize data-intensive edge or IoT capabilities.
All of these recommended steps are founded on an advanced approach to security scanning. The strongest solutions will blend dynamic application security testing, interactive application security testing, static application security testing, and software composition analysis into a single scan. Scanning should also include coverage in both development and production environments, provide comprehensive coverage for web applications and APIs, and ideally be SaaS-based to support automatic updates over time as AppSec threats and mitigation strategies continue to evolve.
While TikTok’s Chinese ownership adds political urgency to cybersecurity concerns about the app, there are wider implications that potentially affect all applications running in government systems. This puts the onus on government IT leaders to capture AppSec lessons learned from TikTok, and apply them more broadly to safeguard an agency’s entire application ecosystem.
Frank Catucci is the CTO and Head of Security Research at Invicti Security.