5 security vulnerabilities in your software download infrastructure

richard-yew-headshotBy Richard Yew, Principal Product Manager – Security Solutions

If your business depends on delivering digital products and software updates, your download infrastructure can be vulnerable to online attacks, data breaches and revenue loss. Here are some emerging threats and preventative steps you can take to keep your software download secure.

1. Vulnerable API

Televisions, computer chips, refrigerators, thermostats and the thousands of connected devices on the market not only rely on your download infrastructure to get the latest software updates, but they also generate API traffic and provide valuable operational data and device telemetry back to the service provider. Smart companies are collecting and using data from these devices to provide better service and improve the customer experience. Attackers are targeting the API endpoints for these new platforms to probe for vulnerabilities in your infrastructure (i.e., the ability to perform remote code execution (RCE) or to create backdoors to your systems). These application layer attacks can be subtle and hard to detect. But you can protect yourself with a web application firewall (WAF) to seek out exploits in application vulnerability and mitigate them in real time.

2. Unsecured networks

More mobile users mean more people connecting to your content using public Wi-Fi – the playground for man-in-the-middle (MITM) attackers attempting to eavesdrop on communications to steal user info, authentication details and intellectual property in download traffic between the client and the server. You can protect yourself by enforcing an end-to-end SSL connection to encrypt the transmission between your user, your data source and any proxy in between. It’s a good practice to use secure protocol (i.e., Disabling SSLv3 & TLS 1.0) and enable perfect forward secrecy (PFS) like Elliptic-curve Diffie-Hellman (ECDH) cipher suites. Your CDN should allow you to customize your SSL connection between your user and the CDN and from the CDN to the origin. Finally, it’s also a good practice to implement end-to-end certificate pinning to ensure only the trusted certificate is being used, preventing MITM attackers from impersonating your server.

3. Exposed origin

Being a well-known brand increases the visibility of your online services to potential attackers, which makes your infrastructure vulnerable to a multitude of DDoS attacks from network to application layer. Content delivery networks (CDN) are a protective layer to your origin that provide an essential first line of defense. In addition to offloading your origin infrastructure by caching your content, some CDNs also provide origin shielding that serves as an extra layer of defense, increasing the cache hit ratio and, more importantly, allowing you to implement access control policy in your origin infrastructure to only allow the CDN to communicate with your origin. This helps close the door to any application attack to your origin directly. In addition to providing an extra layer of caching infrastructure to reduce the load to your infrastructure during flash traffic, the origin shield also protects against direct attacks by ensuring all traffic goes through the CDN network.

4. Unpredictable load

Some attackers will leverage botnets to create a massive flood of download requests that could cause a spike in your bandwidth consumption and create large billing overruns. Worst case scenario, it can overwhelm your infrastructure and cause service interruption. Having a rate limiting system can prevent unexpected traffic spikes that far exceed your origin’s capacity. By closely monitoring individual client requests, rate limiting can help mitigate malicious clients that generate a high rate of requests exceeding the normal threshold. A flexible rate limiting system can let you set custom request thresholds for different types of traffic so you can have granular control over your download and API traffic.

5. Unauthorized access

Whether in source code, intellectual property, video or media files, attackers are looking for weaknesses that give them unauthorized access to your valuable content. So, it’s a good idea to protect your content with token authentication by ensuring that only verified users can access your download content from the CDN. A good token authentication service allows you the flexibility to customize content access by restricting user access based on URL, country, referer, IP address, etc.

We provide comprehensive, PCI-certified security solutions that protect your web content and software downloads at every layer. Leveraging our globally distributed cloud-based platform, we offer industry-leading WAF for application layer protection, robust layer 3/4/7 DDoS protection, world-class bot mitigation against automated threats, highly resilient authoritative DNS service, DDoS Shield and managed security services. Our full suite of cloud security solutions help keep your content secure anytime, anywhere, on any device.

Get in touch with us today to learn how your CDN can get your software download to your customer safely, and protect from online criminals who are working to steal your intellectual property, tarnish your brand image and damage your online business.