Home|CRI|Taking the Temperature of Your Software Security
In the world of software security, an attacker will almost always take the path of least resistance. Sophisticated exploits won’t ever be used if the front door is wide open. This is why you need to “take the temperature” of your application security. Covering the basics can prevent disastrous consequences.
A good analogy for this is tracking a fever. Knowing whether you have a fever is easy to determine and a valuable indicator of health. It is a standard practice. Everyone expects to have their temperature checked when visiting a doctor for a checkup. What would you think of a doctor’s competence if you went in for an annual physical and did not get your temperature checked?
Look for a moment at the title insurance and settlement services company First American. This company recently acknowledged a security flaw in one of its applications. This flaw (really a lack of controls) made access to hundreds of millions of sensitive customer records possible to anyone on the Internet using a web browser without authentication. In this case, customers access documents using a web link containing a record number that is nine digits long. Simply knowing what this web link looks like allows a user to access unauthorized records by changing this record number.
Next to the user login problem, authorizing all requests for customer records is the next most critical control in applications like First American’s. This is the most fundamental “taking your temperature” control out there. Hindsight is always 20/20, but verifying how you control access to records is one of the first things any competent software security auditor would evaluate. Surely a billion-dollar company could have afforded a review at some point, right?
Software Security Tip #1: First Things First – Basic Training!
Cybersecurity is still an evolving field. There is a lot of room for the basics to be missed. Attackers will typically use the front door if you leave it open to them simply because it’s faster and easier. The most basic and important thing in application security (after authenticating users) is to understand how your applications authorize access to data.
You have to do the basics, especially if your organization deals with sensitive information. Ask hard questions about how the basics are covered. What kinds of controls give your organization assurance that the basics will keep being covered? Use outside expertise to help validate if necessary.
Software Security Tip #2: Learn From the Mistakes of Others
Breaches are unfortunately pretty common these days. Barely a week or two go by without some disclosure of yet another organization having troubles. While it is rare that all of the facts are ever disclosed, often enough about the incident is made available such that you can apply it to your own organization. For example, was there a weakness in vulnerability management? Was an application hacked because there were no secure coding standards in place? By asking these questions and then looking inward toward your own organization you have the opportunity to reduce the risk of the same things happening to you.
Key Takeaways for Businesses
There is no shortage of security products out there to help you secure your environment. It is important to realize, however, that emphasis must be placed on the basics first. As shown by some pretty high-profile breaches in the last few years, even the largest of organizations with all of the best security resources can still make this mistake. For software to be secure, you can’t forget to make sure the coding itself has strong controls inside. If your business relies on e-commerce or serving sensitive data to customers such as the financial services and healthcare industry, this is one thing you can’t ignore. Don’t forget to take your temperature!