Security risk in OTT streaming applications
By Brian Pillsbury, Senior Manager, Solutions Engineering, Verizon Media and Tom Box, Senior Manager, Solutions Engineering, Verizon Media
In the past few years, studios and broadcasters have leveraged streaming technologies to create new direct-to-consumer services. While this provides an attractive opportunity to build an audience and profit from viewer data, it’s also a new risk to manage. Malicious actors are working hard to profit from this growing consumer database. Given the widespread knowledge of web application vulnerabilities, attackers are targeting new streaming services that are less experienced in managing web security. In this tech article we explore why these new web applications are vulnerable to attack and what can be done to mitigate risk.
Understanding the over-the-top (OTT) attack surface
An OTT application has many pieces that make it function. To reach as many viewers as possible, it needs to be available on web browsers, mobile devices, smart TVs and streaming players. Each application version, the supported platforms and the infrastructure defines a surface area. Put another way, the application’s surface area is all the ways to interact with the application.
The application’s surface area has components that might be vulnerable to an attack or exploit. It has custom code, third-party libraries and integrations. Any of these components may have a vulnerability. When a vulnerability exists in these components, a malicious actor will attempt to exploit it. These vulnerable areas are the attack surface. An application designed with little security might have a large attack surface. In contrast, a well-designed application might have a small attack surface. Unfortunately, the attack surface always exists, and the goal is to keep it as small as possible.
The OTT attack surface is evolving
Keeping your OTT application secure may seem like a moving train for any one of the following reasons:
- Operating systems deploy monthly updates
- Third-party libraries release changes periodically
- Integrations and streaming players announce deprecations
- Security researchers disclose vulnerabilities almost daily
With all these changes, it can be tempting for developers to put security on the backburner. However, failure to address security fixes leaves the application vulnerable to exploits.
Cyberattackers look for admin portals, backdoors, leftover info files (e.g., phpinfo.php), installation folders, unprotected pages, developer environments, forgotten API endpoints, Git repositories, and other ways to gain access. They also attempt to find an entry point from supporting systems (e.g., marketing websites, content management systems and payment processors). They may go to the Dark Web and buy exploits and login credentials. Their surveillance may go undetected without proper security measures in place.
How to identify vulnerabilities in your OTT streaming service
Many security measures can protect an application and reduce the attack surface. Some of them only detect findings and need manual actions to fix them. Other measures protect against threats. Security measures should have both detection and protection capabilities whenever possible.
Vulnerability management and assessment systems
A vulnerability management system compiles a list of detected vulnerabilities found in an application, and vulnerability assessment systems detect vulnerabilities. The assessment system will scan the application resources and report security findings on the operating system, software applications, system and network misconfigurations, and more. The management system will import the results from various assessment systems. Using both systems reduces the attack surface by detecting known vulnerabilities and providing reports that identify top risks and suggest priorities.
Software Composition Analysis (SCA)
SCA systems check for vulnerabilities within the OTT application’s third-party libraries (or dependencies). SCA will review the application’s dependencies and each dependency’s dependencies, and will propose the version upgrades needed to resolve the vulnerabilities. Sometimes an upgrade might result in breaking changes, and the SCA will warn when that is the case. SCA reduces the attack surface by alerting when dependencies have known vulnerabilities.
Automated API testing and penetration testing tools find vulnerabilities in the running application. These automated tools can identify whether the OTT application suffers from broken authentication, cross-site scripting, SQL injection, memory leaks, application crashes, and more. They assess the application within minutes and can integrate with continuous integration (CI) systems. Integration of automated tests into CI systems enables catching vulnerabilities before a software release.
How to protect your OTT streaming service
The systems and best practices mentioned above can help identify security risks and bugs. Developers should work with security engineers and leadership to promptly address security updates. But even when a team can rapidly deploy fixes, implementation delay can still leave the application vulnerable to an attack. The following defenses can provide some additional protection to OTT streaming applications. Since they function independently of the streaming application’s codebase, they can serve as a buffer to protect against known threats while developers work to patch systems. These protections also give security teams added flexibility in deploying countermeasures in real time to defend against constantly evolving threats.
Distributed denial-of-service (DDoS) protection systems
DDoS protection systems aim to keep an application functioning when under attack. These attacks flood your website with requests in a short period of time to overwhelm it. When the infrastructure and application receive too many requests, they may stop responding. A successful DDoS attack will make an application unavailable for an extended period. A DDoS protection system determines when an attack is starting by analyzing the requests and connections. When it detects a DDoS attack, the system will attempt to reduce or stop the number of requests from the attackers while allowing the actual users to continue streaming.
Web application firewall (WAF)
WAFs monitor and protect application requests. They use a set of rules that analyze the HTTP requests. These rules may allow or restrict access based on IP address, country of origin, headers and payload. Some WAFs have static rules, whereas others have dynamic rules. Dynamic rules allow the WAF to protect against an emerging threat, whereas static rules can only stop known threats.
Bot management systems
Bot management systems protect against automated bots that interact with an OTT application infrastructure, including critical API services. A bot may try to simulate an actual user, solve a CAPTCHA, collect information, insert malicious code, try breached credit card numbers and account credentials, and more. A bot management system analyzes numerous signal characteristics of HTTP requests and user agent details to determine whether an automated threat is attempting to access the service. Given that bots make up much of Internet usage, having a bot management system can protect an OTT application from nefarious activity.
Make application security a priority
Verizon Media’s cloud-based web security solution secures your streaming service with precision and speed. It predicts the impact of change management so you can confidently update rules without impacting your legitimate users, and stops attackers before they can reach OTT application servers. Learn more about Verizon Media’s cloud-based WAF.
Verizon Media recently surveyed 250 security professionals from a range of OTT and streaming services and asked them how they address security risks in their streaming applications. See what they said, and learn how to protect your streaming application by downloading our new security report, “Protecting your OTT service from cyberattacks.”