For this week’s “In the News”, research an article dealing with how secure code development practices (or lack thereof) affected a major software project; was the project more or less successful as a result?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Kelly Sharadin says
This is an older article from 2017; however, it highlights how DevOps and SecDevOps are still relatively new concepts for many organizations. The article reports on the 2016 U.S. Securities and Exchange Commission data breach resulting from an exploited software vulnerability in its test filing component of the EDGAR database application. The breach allowed attackers to access sensitive information. The article suggests that had the SEC implemented DevOps as part of its development process; such an incident could have been avoided. The article as makes reference to a growing demand for application security. Six years later, do you believe DevOps, especially within the financial has won any adoption?
https://www.crn.com/news/security/300092521/sec-reveals-data-breach-caused-by-software-application-vulnerability.htm
Mohammed Syed says
According to this article “The Importance of Defining Secure Code”
In the software development life cycle (SDLC), developers must apply security at each phase and fulfill the fundamental software requirements. The Secure SDLC process is changing with new software development life cycle models such as scrum, agile, or DevOps but not wholly eliminate traditional security checks such as penetration tests. Secure SDLC is important because application security is most required in all software and businesses.
In the modern software development process, many developers work on the same project using centralized servers or distributed servers, GitHub or GitLab. Cause of distributed development process routinely left know vulnerability and exploits in their code. It happened cause of tight deadlines, prioritizing functionality over security, and simplicity. They did not have the required training or knowledge to fix security problems. So many automation tools are used to find software vulnerabilities and bugs during testing and production environment. Today more and more financial transactions are also transferring online. Insecure code is critical in industries that work in finance, healthcare, energy, transport, etc., which could result in financial property damages.
When thinking to secure programming practice and security, then need to keep the entire process as simple as possible; complex processes can lead to inconsistent results. Making your code harder to access and, by extension, harder to read can deter potential attackers, and automated scanning tools and code review are necessary. In large projects, so many bugs and vulnerabilities remain that are discovered or identified after releasing software and then fixing it with updates or patches. Today use Continuous Integration and Continuous Delivery to maintain extensive software security and functionality with automation tools.
https://thehackernews.com/2022/05/the-importance-of-defining-secure-code.html
Vraj Patel says
A zero-day vulnerability has been discovered recently within uClibc and uClibc-ng, which are part of the C standard library. It allows an DNS poisoning attack on the IoT devices that are based on those C standard library. This vulnerability allows an attacker to change the DNS of the target devices and have it connected to their sever. The attackers could attempt to change the password of the IoT device without owners’ knowledge. The attackers could also intercept the update send by the vendor and replace that with the malware.
Reference:
https://portswigger.net/daily-swig/zero-day-bug-in-uclibc-library-could-leave-iot-devices-vulnerable-to-dns-poisoning-attacks
Anthony Wong says
Recently Log4j was an example of an security vulnerability that was discovered after it has been used for years. Additionally, one of the most widely used operating systems, Windows, have consistently had bugs and security vulnerabilities throughout all of its years. Software has always been released with bugs, but discovered way later on. The article explains that creating a security software development process, it needs proper investment, personnel, and time. However, the traditional process contradicts security by needing to be first to market and releasing software products as fast as possible. Senior management needs to be supportive of secure coding practices by allowing extra time and resources to review and test code to ensure it gets delivered securely.
https://www.zdnet.com/article/software-development-is-still-ignoring-security-that-needs-to-change-fast/
Kelly Sharadin says
Hi Anthony,
It’s truly amazing how Microsoft is ground zero for so many major security bugs (ex. externalblue, nobelium) and yet the company persists in its dominance within the marketplace. At first, I was going to suggest that may be the result of legacy products exisiting in organizations but nobelium was just in 2020. At least it provides SOC analysts job security!
Kelly
Kyuande Johnson says
SQL Injection Vulnerability in ‘Yahoo! Contributors Network’
In 2014 Yahoo! the network of authors that generated the contents such as photographs, videos, articles and their knowledge to more than 600 million monthly visitors, was vulnerable to a Time based Blind SQL Injection vulnerability. website that could be exploited by hackers to steal users’ and authors’ database, containing their personal information. The critical vulnerability was able to expose the database which carried sensitive and personal information of those authors who was participating and getting paid from their work. In 2012, Yahoo! Contributors Network was hacked by a group of hackers called “D33DS Company” and “Owned and Exposed” data breach exposed stolen 453,491 email addresses and passwords online. Reportedly, at that time hackers used the same technique i.e. SQL Injection attack to carry out the data breach.
Tal Eidenzon says
https://securitybrief.com.au/story/why-security-must-be-a-priority-in-the-software-development-process
In this article, the importance of secure coding practices is discussed and explained.
In summary, every day new code is written which contains known, exploitable vulnerabilities. These vulnerabilities are “born” into a world already overfilled with more vulnerabilities than could ever be remedied, and with new once introduced almost daily. Taking all of this into consideration, many risks could be mitigated by incorporating secure coding practices, and incorporating information security into the design phase.
Shubham Patil says
Daycare monitoring apps are ‘dangerously insecure’ – Researchers found weak security and undisclosed data sharing in a number of childcare apps
Researchers found that popular apps like Brightwheel, HiMama, and Tadpoles lacked two-factor authentication (2FA), meaning that any malicious actor who was able to obtain a user’s password could log in remotely. Further analysis of application code revealed a number of other privacy-compromising features, including data sharing with Facebook and other third parties, that were not disclosed in privacy policies.
I learned about new security testing tools from this articles that researchers used like Apktool and mitmproxy to analyze the application code and investigate network calls being made by each of the childcare apps, and she was surprised to find a number of easily fixable errors.
Link: https://www.theverge.com/2022/6/21/23177265/daycare-apps-dangerously-insecure-eff-brightwheel-tadpole-himama
Mitchell Dulaney says
“Vulnerability in Amazon Photos Android App Exposed User Information”
Securityweek reports that Checkmarx researchers identified a major flaw in the Amazon Photos application for Android devices that allowed attackers to access a variety of information or files belonging to users of the app. Checkmarx identified the flaw in November of 2021, and Amazon patched the security issue in December. The issue originated in the application’s manifest file. Prior to patching, when the manifest file was exported, a “misconfigured component” included in the manifest would allow attackers to steal an Amazon access token from the header of an HTTP request. What’s more, the destination server of the HTTP request could be adjusted so that attacker’s could route the token directly to a server within their control.
An Android phone with existing malicious code installed on it would be at risk of this access token being compromised. With the token, a criminal could access a variety of API’s, including the Amazon API and Amazon Drive API, thereby accessing personally identifying information or any files the end user saved to their Amazon Drive. This could easily facilitate a ransomware attack amongst other potential threats, and because of the nature of the access token, an attacker could have potentially gained access to other API’s not yet identified by the researchers. This is a prime example of security requirements not being defined or measured properly during Amazon’s software development process.
https://www.securityweek.com/vulnerability-amazon-photos-android-app-exposed-user-information
Antonio Cozza says
For this week’s “In the News”, research an article dealing with how secure code development practices (or lack thereof) affected a major software project; was the project more or less successful as a result?
This week in security news, a major cryptography library, OpenSSL, was found to possess a high severity vulnerability now known as CVE-2022-2274, which can lead to remote code execution if left unpatched. The OpenSSL team was quick to release a patch for this vulnerability after it was reported to them by a PhD student at Xidian University, Xi Ruoyao. The recommended mitigation to safeguard against this cve is to simply install the patch and upgrade to OpenSSL version 3.0.5. Ultimately, the vulnerability was the result of the RSA implementation according to the OpenSSL team, who stated that during computation it could be weaponized by an attacker to gain RCE.
Antonio Cozza says
https://thehackernews.com/2022/07/openssl-releases-patch-for-high.html