Taking the Temperature of Your Software Security

In the world of software security, an attacker will almost always take the path of least resistance. Sophisticated exploits won’t ever be used if the front door is wide open. This is why you need to “take the temperature” of your application security. Covering the basics can prevent disastrous consequences.

A good analogy for this is tracking a fever. Knowing whether you have a fever is easy to determine and a valuable indicator of health. It is a standard practice. Everyone expects to have their temperature checked when visiting a doctor for a checkup. What would you think of a doctor’s competence if you went in for an annual physical and did not get your temperature checked?

Look for a moment at the title insurance and settlement services company First American. This company recently acknowledged a security flaw in one of its applications. This flaw (really a lack of controls) made access to hundreds of millions of sensitive customer records possible to anyone on the Internet using a web browser without authentication. In this case, customers access documents using a web link containing a record number that is nine digits long. Simply knowing what this web link looks like allows a user to access unauthorized records by changing this record number.

Next to the user login problem, authorizing all requests for customer records is the next most critical control in applications like First American’s. This is the most fundamental “taking your temperature” control out there. Hindsight is always 20/20, but verifying how you control access to records is one of the first things any competent software security auditor would evaluate. Surely a billion-dollar company could have afforded a review at some point, right?