Recent high profile events clearly demonstrate that organizations of every size struggle with how to protect themselves against cyber attacks. Whether politically motivated or profit driven, one thing is clear, attacks are on the rise.
Last month’s publishing of an academic paper detailing the D.C. vote-hackers exploits showcases the vulnerability of Web applications after a group of computer science experts at the University of Michigan successfully infiltrated the city’s trial Internet voting test bed.
Last December Iran claimed it had hacked GPS signals which led to the capture of a U.S. military drone. According to an Iranian engineer, they were able to exploit a well-known bug in the drone's software to make it think it was landing at an American airfield, not inside Iran.
Meanwhile LulzSec, which is believed to be an offshoot of hacktivist collective Anonymous, has reportedly left a billion-dollar trail of damage through governments and corporations alike. While five members of the hacker group were arrested this month, experts believe it’s unlikely to strike a lasting blow for authorities in the constant battle against politically motivated online collectives.
The techniques used by these and other cyber attackers are not new - SQL injection, PHP file include, cross-site scripting, clickjacking, cross-site request forgery, etc. While it is relatively well known how to find, fix and prevent these vulnerabilities, organizations continue to overlook their root cause.
In the relentless struggle to protect against cyber attacks, companies must anticipate and identify vulnerabilities before hackers have an opportunity to exploit them. With software applications, a logical and successful path to the early identification of vulnerabilities begins at the development stage.
Security at the Development Stage
When it comes to application development, security must be a foundational element, not merely added functionality. Increased knowledge among development and security teams on the importance of building secure processes at the app development stage is essential to better prepare for and fend off hackers.
While app security as a discipline is relatively young compared to the overall security industry, great strides have been made in terms of technology and processes. However, as demonstrated through recent attacks, additional work is needed.
Consider the D.C. vote-hackers who exploited a remote shell injection vulnerability which allowed them to execute arbitrary operating system commands. This issue should have been identified and addressed during the app development stage.
Making the Change: People, Processes and Technology
A developer’s primary focus is on the functional requirements of code, i.e. does an app do what it is supposed to do? Meanwhile, hackers are focused on manipulating an app to do something that it shouldn’t.
To protect against cyber attacks, this mindset of developers must change. Organizations need to build greater awareness and knowledge among development and security teams of the need for security at the development stage.
Development teams must have the necessary education and training to build more secure software. This should include a mix of internal as well as external training programs.
Additionally, security must be integrated into the development process with activities such as design and architecture review, peer or third-party code review, penetration testing, security testing, and security requirements baked into the process. Multiple checks and balances are essential to ensure the appropriate controls are built into applications.
Organizations also must consider their usage of third-party apps. When apps are developed it is not uncommon for code and libraries to come from outside vendors or third parties. Development and security teams must have processes in place that keep track of code coming in from external sources and checks to understand what risk, if any, third-party code is exposing them too.
When building critical applications, it is important to take a step back and put into perspective why it is being developed. It isn’t just about the technology, it is about building secure systems that keep our country safe, protect our parents against identify theft, ensure our children’s safety and much more.
Having the necessary security controls implemented during the development process will enable organizations to keep information safe by regaining an edge against cyber attacks.
To learn more about software security please come to the SANS AppSec Summit being held in late April. For more information on this event please visit http://www.sans.org/info/102454