International. Cloud computing is a growing market. But cyber attacks on cloud software systems are also on the rise, as these applications often contain security vulnerabilities that hackers can exploit.
CodeShield software, which is produced by the company of the same name, discovers these vulnerabilities and fixes them using automated methods. CodeShield is a spin-off company of the Fraunhofer Institute for Mechatronic Systems Design IEM and the Heinz Nixdorf Institute at the University of Paderborn.
More and more companies are moving their IT infrastructure to the cloud, using the storage and computing capacity offered by cloud services or programming applications directly in the cloud. Cloud systems offer numerous advantages, but also require the implementation of special security measures.
Many companies are not prepared for this, something that can have consequences for the security of their data. "Often, we see insecure web interfaces, incorrectly configured interfaces, or vulnerable access protocols that are open to exploitation by cybercriminals. This can result in the loss of sensitive data, to name an example," says Professor Eric Bodden, a scientist at Fraunhofer IEM, who together with colleagues at the Heinz Nixdorf Institute at the University of Paderborn, established the spin-off CodeShield in 2020 and developed a tool of the same name that analyzes and evaluates the security of cloud applications and fixes vulnerabilities.
In addition to Prof. Bodden, the start-up was founded by Manuel Benz, Andreas Dann and Dr. Johannes Späth and now has nine employees. "The targets of hacker attacks can include companies' public deed repositories. These types of cloud containers store data in the form of objects. Attacks are possible if the repository is not read-only and therefore can be accessed publicly, for example," explains Bodden. Among the most well-known victims of this type of attack are the BHIM trading platform and AutoClerk, a platform-based hotel property management system. The attacks resulted in millions of elements of user and account data falling into the hands of the perpetrators.
Automatic detection of security vulnerabilities
CodeShield's goal is to stop these cybercrime activities. The software uses an automated process to analyze vulnerabilities in the program's code, focusing on cloud-native applications, which are currently experiencing a boom in popularity. Prominent examples of cloud-native technologies include Spotify and Netflix. Electric scooters, which have been a regular sight on our streets for some time, are also connected to the cloud. Applications are hosted directly by the cloud provider. The program code is also programmed in the cloud and then stored and run at companies such as Amazon Web Services, a popular provider in this field.
The crux of the matter is this: "The interfaces and components made available by suppliers, which can be described as a kind of modular toolbox, are not easy to use. Although they allow programmers to develop new applications in a short space of time, private data can end up being published inadvertently if the interfaces are configured incorrectly, "says the computer scientist. "CodeShield not only discovers these vulnerabilities in real time using automated means, but also visualizes them at the same time." Covering everything from the website and application to the code and data container, the software presents the entire cloud infrastructure in the form of diagrams so programmers can quickly identify problems and weaknesses. Components such as open source libraries from third-party vendors can also be integrated, displayed, and verified here.
Fingerprinting method and data flow analysis
To discover security vulnerabilities in the code, the tool uses what is known as a fingerprinting method. This involves Bodden and his team downloading the open source components from the cloud and calculating a fingerprint for each component. This fingerprint allows you to immediately recognize any insecure code if it is reintegrated into an application at a later date.
In addition, CodeShield analyzes the program code that the developers themselves write, store in the cloud and constantly edit to adapt and extend functionalities. In this case, CodeShield performs highly efficient data flow analyses on a daily basis. The job of these analyses includes checking user inputs on the front-end to detect any manipulation quickly. Specially developed algorithms allow high-quality analysis.
CodeShield's false positive rate is below five percent. "Many IT security tools generate false positives of between 70 and 80 percent, which is a big problem for developers. That is comparable to a spell checker that highlights errors in each sentence where there are none," explains the scientist. However, CodeShield technology is different. As an example, it identified security vulnerabilities in Germany's coronavirus warning app before its launch.
In 2019, CodeShield received the Ernst Denert Software Engineering Award; is funded by the European START-UP transfer programme. NRW and BMBF's StartUpSecure program.
Data Source Provider: Fraunhofer Institute.
