October is a special month for me. It’s my work anniversary which gives me a lot of pride. It’s also a month filled with seasonal excitement leading up to Halloween.
As we move into the depths of the spookiest season of the year, I thought it would be a good time to speak about common types of software vulnerabilities and why they can be so scary for organizations.
Gone are the days in which your technical debt comes only from implementation bugs (e.g., injection vulnerabilities and cross-site scripting) and architectural flaws (e.g., broken access control and business logic violations).
We now have two additional categories for firms of all shapes and sizes to dread: infrastructure and open source software vulnerabilities. Open source software is available for anyone to review and use. This also means that it is exposed to malicious users.
For perspective here, open source vulnerabilities like Heartbleed, ShellShock, and Struts have put organizations’ assets at serious risk, and have brought others to their knees.
Protecting your firm’s infrastructure is vital in today’s connected world. This is true when deploying applications in-house, using containers, or in the cloud. We’re dealing with data breaches brought on by human error, insider threats, emerging attack surfaces and configuration changes, just to name a few. This reality is daunting to say the least—threats are everywhere!
Trick or treat?
If you’re waiting for an incident to take place before engaging your development team to remediate security vulnerabilities, you’re playing a cruel trick on them. Instead, treat your development staff by taking a proactive approach to security by training them to write secure code.
There are also tools that operate in real time, flagging vulnerabilities as they’re coded. This will make their efforts more seamless further along in the software development process.
You don’t let your small children go trick-or-treating alone, do you? You probably tell them not to talk to strangers, eat unwrapped candies, or to open themselves up to other vulnerable scenarios, right? Well then, don’t send your developers out into the wild without giving them the proper training, security guidance, and tooling to do their work securely. An incident response plan should also be in place so that there is a clear strategy in place should a security incident take place.
Whether or not you have children, you probably feel some sort of caution during the spookiest of seasons. You know, that hyper-awareness that you feel on October 31st when you’re double checking to make sure that the garage door is closed, and the doors are locked; double-checking before you open the door to offer candy to the little Wonder Women and Spidermen, making sure that it’s not a 6-foot tall mystery ghoul in a Scream mask.
We want to stay festive and enjoy ourselves with friends and family, but during the Halloween season, you’ll likely notice that you’re more attentive to your personal safety and security. So, why is it so hard for organizations to apply the same ideals to ensure their applications are secure?
When security becomes an issue, it tends to snowball into a crisis at a very rapid rate. This is why we must stay ahead of the threats and the bad guys. If you don’t consider security until something happens, the only option will be to fix the issues that are already in production and focus on damage control to salvage what’s left of your organizational reputation and begin re-building customer trust.
Think like an attacker
Knowing what open source software components your firm uses is a challenge to track down. Understanding exactly how that software affects your organization’s software security posture is even more difficult. Believe me, it’s worth the effort.
While open source offers a vast number of benefits for firms in terms of capabilities and cost savings, it also provides a rich target for hackers to infiltrate your applications. Many companies are completely unprepared, leaving most of their software supply chains, filled with both proprietary and open source software, highly vulnerable.
This offers yet another reason why a proactive security stance is critical this October and beyond. Here are a few ways you can rise above the fear factor and get to work securing the software that powers your business:
- Commit to making security a priority. Shift your focus from a reactive “we’ll deal with it when the time comes” mentality to one of proactivity so as to avoid the time from ever arriving.
- Enable developers with the tools and training they need to build security into software they are coding.
- Bugs and flaws are critically important to resolve, but so is technical debt arising from your infrastructure and open source components.
- To manage open source and software supply chain risk, you must include open source security considerations within your overall software security initiative.
- If you pursue a strategy that involves moving your network infrastructure to cloud environments, be mindful that this also introduces a new attack surface that must be evaluated for proper configuration, thus ensuring that sensitive data isn’t exposed to unauthorized users.
- Address the root cause. By building expertise and providing necessary information to prevent bugs from entering the code base in the first place.
When enjoying the All Hallows’ Eve festivities this year, don’t go looking for trouble. Take the lessons we’ve learned here today and apply these techniques to our software.
If you’re actively thinking of ways in which your system may be compromised by an attacker, then you’re that much further ahead in the growing software security arms race. Witching hour is upon us. Take measures to secure your software and applications inside and out so you’re not left the victim of an attacker’s trick.