Automated Security Analysis with Citrix AppDNA
In an increasingly security-focused world, it is becoming critical to ensure that all deployed applications are secure and compliant.
While there are a multitude of comprehensive application security analysis tools and services available today, the cost and time investment involved in making use of these can mean that some applications get deployed with minimal insight into additional security risks they may be introducing.
With the latest release of AppDNA, Citrix have added a new set of security algorithms that are intended to provide an easily accessible report covering a range of potential application security risks. As with any automated analysis tool, the new security module should be looked at as one part of an overall application security process, the module will not provide a comprehensive security assessment but it will provide a set of specific technical indicators that could help to inform you about some of the risks that an application might be introducing into your environment.
The key benefit of this module is that it can easily be integrated into your existing workflow in order to provide a simple, consumable, security report for every application you deploy.
We introduce the set of new algorithms in the table below:
New automated security analysis algorithms
Let’s have a look at these in more detail.
The Red algorithms are:
- Debugging Functions: The standard Windows debugging APIs provide a mechanism that can allow a process interact with, or control, other processes. While there are clearly cases where this functionality can be useful for diagnostic purposes, this functionality could also be used to interfere with the normal operation of other application or operating system processes and could potentially be used to extract sensitive data from other processes.
- DLL Injection: DLL injection is a common mechanism that is used to inject code into another process. As with the debugging functionality, there are legitimate uses for this but it could also indicate a potential security risk as it enables one process to effectively take control of another one. In some cases the injected DLL may also increase the overall attack surface of a process. For example, if a permissive firewall rule is defined for a trusted process then any DLLs that are injected into that process will also be able to take advantage of the permissive firewall rule.
- Old Runtimes: Older runtimes may contain unpatched security vulnerabilities. The level of risk from these issues can depend on specific set of runtime functionality being used the application so the real level of risk will tend to be application specific.
- NetDDE: NetDDE is a deprecated network IPC mechanism, applications using this functionality may have legacy network reachable interfaces, which could introduce additional attack surface to the application.
The Amber algorithms are:
- Banned Functions: Microsoft has identified a specific set of functions that can introduce potential security issues if not used very carefully. This includes legacy string handling functions such as strcpy() that can easily introduce buffer overflow vulnerabilities. Whilst the use of these functions doesn’t strictly imply the presence of a vulnerability it may indicate an increased level of susceptibility to some types of vulnerability.
- Old Compiler Versions: Modern compilers support a comprehensive set of exploit mitigation techniques that can help to ensure applications have some protection against several classes of vulnerabilities. Applications compiled using older compilers may not be as well protected against these known exploit methods.
The Green algorithms are:
- Nested installers or unsigned components: These issues may indicate that the application is adding unknown or untrusted components as part of the installation, although this may not be introducing any additional security risk it can make it difficult to get a full picture of the applications overall attack surface.
- Relaxing Security: Changes to security relevant Operating System configuration can impact the security of the overall system and may introduce additional threats to the environment.
The initial version of the security module is our first pass at adding a set of security reporting capabilities to Citrix AppDNA, there are numerous additional security relevant tests that could be included in future versions of this module so if there are any specific additional tests that would be valuable, or areas of risk you would like to be covered, then please let us know.