Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

What Happens When Security Companies Fail at Security?

Several recent cyber attacks have successfully targeted organizations that should be poster children for security hygiene. Why are even the most security-conscious organizations being compromised, and what does it mean for everyone else?

Several recent cyber attacks have successfully targeted organizations that should be poster children for security hygiene. Why are even the most security-conscious organizations being compromised, and what does it mean for everyone else?

Examining recent high-profile cyber attacks

The most prominent attack was the Equifax breach, which exposed sensitive data of over 145 million people. Prior to the report of the breach, Equifax was trusted (implicitly by all and explicitly by many) by consumers and businesses to protect highly sensitive data. Equifax even upsells services to detect and counteract identity theft. This latest breach is causing a new wave of soul-searching by organizations not seen since the Target and Home Depot breaches, which opened the eyes of many to the dangers of testing only high-risk applications.

On the government side, the Securities and Exchange Commission (SEC) recently announced a breach from 2016 that might have given intruders access to nonpublic information for illegal trading.

Avast, an antivirus company, disclosed that one of its popular software utilities had been hijacked by hackers and loaded with a backdoor that evaded the company’s security checks and wound up installed on 700,000 computers. Furthermore, evidence suggests the attackers specifically targeted several tech giants for a second-stage malware attack intended for industrial espionage.

Finally, the NSA was recently in the news with a breach when it was reported that Russia had obtained detailed data regarding how the United States defends against cyberthreats and how the NSA monitors foreign computer networks. This data was obtained by hackers supposedly working for the Russian government.

Designing, developing, and deploying secure software

So why is it that credit bureaus, financial regulators, and security companies are getting beaten by the bad guys? The answer is that building secure software is not a trivial task. Software security is a complex challenge that can’t be addressed by cutting-edge technology alone or by throwing people at the problem.

The cold, hard fact is that software security is an ongoing journey, not a point-in-time obstacle that needs to be hurdled. Organizations must be committed to starting on the journey and staying with it for the long term. Organizations need to build security into their DNA, with a comprehensive and orchestrated software security initiative that dictates how software is designed, developed, and deployed.

Allow me to provide a concrete example.

Advertisement. Scroll to continue reading.

The Equifax breach has been traced to an unpatched vulnerability in an open source framework (Apache Struts) used by one of Equifax’s web applications. This was a known vulnerability with a readily available patch. There is no shortage of tools that can identify open source in applications and report on the vulnerabilities of the discovered open source elements. So why was this vulnerability not found and closed?

Using real data to measure software security

For an answer, let’s consult the findings in the Building Security In Maturity Model (BSIMM), which provides real data on how real-world organizations are embracing a holistic approach to software security. The idea is to use real data to show where we are succeeding with software security and where the challenges exist. The BSIMM also allows organizations to see how they score against other organizations in their vertical, and provides them a score they can use to gauge the improvement of their business processes over time. The BSIMM study is licensed under a Creative Commons license and can be downloaded for free.

Version 8 of the BSIMM measures 113 security activities of 109 participating organizations. Two of those activities measure whether an organization systematically identifies open source components in their software (Activity SR2.4) and whether the organization takes steps to control the risks associated with those components (Activity 3.1). The statistics are revealing:

· SR2.4—Identify open source:v23% participation rate

· SR3.1—Control open source risk:v9% participation rate

Controlling open source software risk

As the BSIMM data shows, only 1 in 4 organizations is systematically identifying open source software (OSS) in their software portfolios, and less than 1 in 10 are proactively controlling OSS risk. The risks of open source are clearly understood, and those risks become increasingly important as
a greater and greater degree of every application is composed of open source components. In fact, the Open Source Security Analysis 2016 report by Black Duck says that 67% of applications that they examined contained a known open source–related vulnerability.

The data on the practices surrounding open source and the potential consequences illustrated by the Equifax breach provide clear insight as to why even the most progressive companies can be successfully attacked. As I have stated in previous articles, 50% of the vulnerabilities in software are flaws in the design and architecture of the application, but security is seldom considered in the early stages of development. Organizations strive to apply good security practices to the software development life cycle, but competitive pressures often force organizations to sacrifice security to increase the delivery velocity of software.

Summing it up

In the end, there is a lot of flawed, vulnerable software out there, and the bad guys know that software is a viable entry point. Organizations are putting more emphasis on building security into software, but we have a long way to go. So don’t be surprised if you wake up tomorrow and see in the headlines a breach that makes the Equifax fiasco look like child’s play.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.