Identifying the enemy within

Your company software may be the fatal weakness that allows hackers entry to the system to wreak havoc on your business

A hacker’s entry point into your organisation may well be the very software on which your business depends.

The 2011 Global Information Security Workforce Study by Frost and Sullivan for industry group (ISC)2 listed application vulnerabilities as the top threat to organisations. They came above more high-profile concerns such as mobile devices and social media.

Meanwhile, the recent study by Creative Intellect Consulting, State of Secure Application Lifecycle Management, carried out with (ISC)2 and the International Association of Software Architects (IASA), found that only a quarter of organisations follow secure coding practices rigorously, and a similar proportion barely at all. This is in spite of most having software lifecycle management processes in place.

The most highly publicised vulnerabilities tend to be in commonly used commercial software, although there’s comparatively little that users can do except to wait for the vendor to issue a patch. Yet the kinds of vulnerabilities that can destroy a business often lie within companies’ bespoke applications.

“Software is much more insecure than most people really understand,” says Jeff Williams, chair of the Open Web Application Security Project (OWASP). “The way the software marketis set up encourages insecure software. Software developers are encouraged to develop software very quickly: they’re put under tremendous time pressure to create functionality and when it works, they ship it.”

But at that stage they do not know whether it can be abused, he points out. “Many organisations don’t do nearly the level of verification and testing they ought to do to ensure that what they’re producing is resilient.”

It’s not a developer problem, however, but one that runs throughout companies. “There is a mindset issue,” says Alessandro Moretti, a member of the (ISC)2 board. “The mindset of developers and IT management is not geared towards delivering secure software.”

?Start thinking about how you can address software security from a strategic perspective so that it’s part of the dynamics of your organisation? – Rotib

At the heart of the problem is a failure by firms to look at their software in the context of risk management.

According to Bola Rotibi, author of the Creative Intellect study: “When organisations start to rely heavily and see software systems as a driver to help their business growth and business agility, then software security is something that, if compromised, will compromise the whole strategy for growth.”

The lack of proper risk analysis means that firms can’t identify the potential consequences in terms of business value.

“I think a lot of business managers look at software security and think that either they are forced to do it from a compliance and regulation point of view or it’s a technology hygiene factor of ‘well, of course we want security’,” says Rotibi. “But if they actually do the proper risk assessment, that allows them to have a business focus, not just a technology focus.”

So what if you’re sitting on a potential time-bomb? It’s unlikely you have the resources to retrospectively test every bit of software you’re using.

“As with any problem, you have to break it down into manageable chunks,” says Moretti. “You have to apply risk management principles to understand what your key processes are.”

Many firms will be tempted to start with their web-facing applications. A Ponemon Institute study, published in February 2011, showed that 93 per cent of organisations had been hacked at least once through their web applications, although the problem is wider.

“We see lots of flaws in rich client apps and even mainframe apps,” says Williams. “But I think the web is a good place to start.”

There are models on which you can base your assessments, including OWASP’s Open Software Assurance Maturity Model (OpenSAMM). “The idea behind these models is that you compare your organisation to a set of best practices and find whether you are doing the right things,” says Williams. “It will show you where the gaps are and that will give you some kind of an action plan.”

Above all, companies need to change their culture.

“Start thinking about how you can address software security from a strategic perspective so that it’s part of your practice and workflows and a part of the dynamics of your organisation,” says Rotibi. “It’s not something special, it’s part of what you do every day.”

Tags: , , ,