7 Application Security Risks that could be prevented

1. Introduction#

Major corporations, including Uber, MGM Resorts, CircleCI, Ticketmaster and multiple other businesses, faced security breaches from September 2022 through May 2024 after attackers gained unauthorized access to their user account systems. The attacks caused more than hundreds of millions of dollars in damage while exposing personal data from over 600 million users and the outdated authentication systems of that time could have prevented these security breaches.

The story shows no evidence of sophisticated zero-days or cybersecurity attackers using unknown vulnerabilities to conduct their attacks. These instances reveal how organizations failed to prevent security breaches. Most were aware of MFA fatigue attacks yet failed to protect against them, and they recognized password-based system vulnerabilities yet kept using them.

2. Legacy Authentication Failures#

Weak or legacy authentication is a common entry point for attackers. The majority of security breaches begin with attackers obtaining either stolen or previously used passwords, although organizations have access to established passkey authentication systems, which provide phishing protection. The 2023 MGM Resorts breach started when attackers used vishing to get help desk IT support, which allowed them to reset credentials and then deploy ransomware and cause seven days of system interruption.

The security systems of MGM and other organizations used passwords together with SMS-based two-factor authentication, which failed to protect against social engineering attacks and credential theft. The organization failed to establish better authentication systems because they understood security threats, yet their current systems and work processes stopped them from making changes.

Passkeys which use public-key cryptography and biometric identification, would have significantly reduced the risk of these attacks succeeding. Passkeys are more secure than passwords because users cannot reset them via remote access or help desk support by sharing reset codes, which protects against social engineering attacks. The security of passkeys remains vulnerable to specific attack methods, which occur when account recovery processes are not properly secured and when devices become infected with malware.

3. Session and Cookie-Based Attacks#

Attackers focus on obtaining cookies as they will help obtain system access and bypass all authentication procedures. The 2022 CircleCI breach underscores this by showing how an infostealer malware on an employee's laptop can easily steal active session cookies. Using these, the attackers then bypassed the two-factor authentication and gained access to production systems.

Session cookies serve as a means of circumventing access controls with their bearer tokens, facilitating sensitive data exposure. To prevent such mishaps, organizations can implement Device Bound Session Credentials (DBSC), which protects users from session theft by using cryptographic methods to link sessions with specific devices. This makes stolen cookies from other computers impossible to use. The DBSC system offers effective protection against infostealer malware that runs on various devices, but it cannot stop attacks when malware infects the initially registered device.

4. Broken Authorization#

When attackers breach access control in the application, they can move laterally without regard for their permissions. The security risk from authorization vulnerabilities continues to be high because attackers successfully used insufficient access controls to navigate between system components during multiple network breaches.

To identify IDOR (Insecure Direct Object Reference) vulnerabilities, application developers should use concept-based threat modeling to detect basic access management structures and implement code review processes to validate service account permissions.

Opting for complex role assignments and permissions management instead of a least-privilege model can leave organizations vulnerable to authorization issues. Complex role assignments can lead to unauthorized access to sensitive information and functions in customer-facing applications. Organizations without a secure authorization framework cannot protect their data from unauthorized access and operations.

With the rise in B2C security issues, a single compromised account can cause significant damage to multiple user accounts. By implementing privileged access management, organizations can give their employees and customers only the bare minimum access required to get their job done. In addition to this, regular concept-based threat modeling and code review can help spot risks and vulnerabilities easily.

5. Insecure AI Integrations#

The rapid integration of GenAI and LLMs into applications has outpaced the ability of traditional controls to detect these changes, which results in an unseen security risk. The 2024 Snowflake breach demonstrates how threat actors used stolen credentials from infostealer malware attacks to enter Snowflake customer environments, which did not implement multi-factor authentication. The attack compromised more than 165 organizations, which included Ticketmaster with 560 million customer records and AT&T and Santander Bank.

Organizations often fail to acknowledge AI as a core part of the IT environment, leaving AI resources like models, vectorized data stores and AI pipelines vulnerable to misconfiguration and cyber-attack risks. Most organizations find it difficult to monitor AI systems effectively because of "shadow AI," where unauthorized individuals can carry out credential-based attacks without internal detection.

If organizations applied baseline controls like input validation, isolation and ongoing monitoring to their AI systems as they do for other IT infrastructure, these security incidents could have been avoided. Organizations can automate the identification and remediation of misconfigurations using AI security tools, which provide a complete inventory of all AI resources.

6. Cloud and Runtime Environment Misconfigurations#

Misconfigurations in the cloud, including exposed storage buckets, overly permissive security groups and exposed containers, can result in security incidents. The 2022 ePallet breach showed that a misconfigured Amazon S3 bucket can expose sensitive customer data of other businesses using their tool. Attackers used two main vectors to access sensitive information: unprotected storage buckets and security groups with ineffective access controls.

Basic Compliance Scanning shows these attacks originate from two main sources, namely publicly accessible storage with user-specific data and exposed virtual management ports. Organizations may see these misconfigurations as short-term fixes for compliance, but most become security breach points.

Identifying and remediating misconfigurations should be ongoing through continuous cloud security posture management or runtime security checks, which significantly reduces the risk of attackers exploiting vulnerabilities. Organizations can use automated scanning and monitoring tools to find misconfigurations, and the monitoring platform can then remediate them.

7. Missing Security in the SDLC#

Vulnerabilities enter the production process when security functions are not properly integrated into the software development process. A crypto startup's misconfigured GitHub action in the CI/CD pipeline was silently sharing AWS credentials, helping attackers mine $800 in cryptocurrency.

SAST/DAST, secure code review and dependency scanning can identify common security vulnerabilities. They could range from injection attacks to insecure deserialization and insecure direct object references, but these issues persist when security receives no attention.

Security integration into the software development lifecycle (SDLC) enables developers to identify and resolve security vulnerabilities, which they can then implement in their web applications before deployment to production. The prevention of these issues requires organizations to implement three fundamental security practices, which include automated scanning, dependency management and secure code reviews.

8. Insufficient Monitoring and Remediation Processes#

Organizations continue to experience security breaches largely because they cannot recognize warning indicators and lack defined remediation processes for system abnormalities. They should consistently monitor their computer systems and establish a clear response procedure for security violations, following current industry standards in light of the 2022 Uber breach. Without comprehensive logging of security events, organizations struggle to monitor for credential stuffing, unusual device access attempts or abnormal token transactions.

Organizations find it challenging to detect authentication and sign-in attempts or to record user registration events because the information they collect lacks sufficient detail for early identification of security rights abuse.

The organization's systems identify and manage abnormal events through privacy-focused telemetry and automated, algorithmic response procedures. AI detection and response capabilities will help organizations identify relationships between security events and stop breaches from occurring.

9. Conclusion#

The most frustrating part of studying MGM, Snowflake, Uber and CircleCI breaches is understanding that these incidents could have been avoided. The incident became unavoidable because current technology lacked the necessary capabilities that security-focused businesses already used for their authentication systems.

All organizations in this report had access to deploy passkeys before their systems were breached. While passkeys were available and mature technology during 2022-2024, Device Bound Session Credentials (DBSC) were not widely available until 2024. The system included multiple cloud security controls, such as MFA enforcement, network allowlists, least-privilege IAM and monitoring. However, these controls needed manual setup for complete protection.

The security teams of some organizations supported these controls, yet they failed to defeat the company-wide resistance to change. The outcome brought about more than 600 million people's personal data exposure, regulatory probes and total losses that exceeded hundreds of millions.

Organizations have conducted research that demonstrates that credential-based attacks will increase at an accelerated rate, so organizations need to handle this critical security threat immediately. Your organization needs to determine if it will adopt modern authentication systems before or after other organizations use your security failure as an example in their breach investigations.

Application security tools exist, and they operate automatically through a simple process that needs no complex installation procedure. The ROI is measurable. The security community lacks a sense of urgency, which would enable it to recognize authentication modernization as an essential security control. The organization needs to take action immediately because the next help desk call, phishing email and infostealer payload will develop into a hundred-million-dollar incident.