To Protect Enterprise Data, Secure the Code

Responsibility for securing enterprise applications has been moving down the development lifecycle, and for good reason. It not only makes the enterprise more secure, but also saves companies time and money.

For example, the average time to fix a vulnerability in IBM’s application security solution has dropped from 20 hours to 30 minutes, according to a studyForrester Consulting released last month.

Also, finding bugs earlier rather than later in the development process resulted in a 90 percent cost savings, the study indicated

Not My Job

If security at the application creation level is going to gain traction, however, it’s going to require a change in the attitude on the part of developers.

“Developers don’t inherently think about security — they’re paid to ship code,” said Rami Essaid, CEO of Distil Networks.

“We’ve been saying that developers should write good code for the last 20 years, yet nothing happens,” he told TechNewsWorld.

Moreover, even if an organization can get its developers to write more secure code, it’s still at the mercy of coders who are out of its control.

“We live in a much more complex software environment than ever before. A lot of open source tools are used. We’re using a lot of plug-in software. We’re using a lot of stuff that we don’t write the code for,” Essaid explained.

“You can’t say, ‘we’ll write better code and secure our borders,’ because you’re relying on a much bigger network than what you can write,” he pointed out.

Multiple Levels of Protection

Application security testing is a critical part of securing the enterprise, but it’s only one part of the solution.

“Security testing is part of a more complete process of the secure software development lifecycle,” said Cyberreason’s Barak.

The process must start with the application architecture and continue through the design, quality assurance and testing phase into the deployment phase, he added. However, security also needs to be applied to the infrastructure on which the application will be deployed.

“You can never cover all application vulnerabilities,” Barak said, “so you have to have a system in place to detect when abnormal usage of the application infrastructure is being performed.”

Breach Diary

  • August 8. Newkirk Products, maker of identity cards for insurers, has suffered data breach placing at risk personal information of half a million customers of healthcare providers CDPHP and 70,000 customers of BlueShield of Northeastern New York, Albany Business Review reports.
  • August 9. U.S.Office of Personnel Mangement announces David De Vries will join the agency as its permanent CIO. De Vries is currently principal deputy CIO at the U.S. Defense Department. Last year, information related to 22 million people was stolen from the OPM.
  • August 10. Provision Supply, doing business as EZcontactsUSA.com, agrees to pay New York state $100,000 as penalty for lacking security practices, which led to data breach that potentially exposed 25,000 credit card numbers and other cardholder information.
  • August 10. Advocate Health Care, based in Illinois, agrees to pay $5.5 million penalty to federal governemnt for failing to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities” of its electronic protected health information.
  • August 10. Oracle confirms that more than 300,000 cash registers sold by the the company around the world are affected by a data breach at its MICROS retail unit.
  • August 10. LeakedSource.com reports game forums at Dota2 have been hacked and nearly two million records containing user information stolen.
  • August 12. Sage, a UK provider of accounting and payroll services, notifies some 200 customers that their confidential information, including employee bank account details and salary information, may have been compromised in a data breach.
  • April 12. Apple appeals ruling by federal district court judge that permits class action lawsuit against company for distributing Path app, which acquired contacts information from users without their consent.

Upcoming Security Events

  • August 23. Sqrrl and HPE: Threat Hunting for ArcSight Users. 2 p.m. ET. Webinar sponsored by Sqrrl. Free with registration.
  • Aug. 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
  • Sept. 7. FTC Fall Technology Series: Ransomware. 1 p.m. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
  • Sept. 7-8. International Cyber Security & Intelligence Conference. Ontario College of Management and Technology, 510-240 Duncan Mill Rd., Toronto, Ontario, Canada. Registration: students, $400.01; others, $700.
  • Sept. 8. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Cincinnati, Ohio. Registration: conference pass, $195; SecureWorld plus, $625; exhibits and open sessions, $30.
  • Sept. 10. B-Sides Aug.a. J. Harold Harrison MD, Education Commons, 1301 R.A. Dent Blvd., Aug.a, Georgia. Tickets: $20.
  • Sept. 14-15. SecureWorld Detroit. Ford Motor Conference and Event Center, 1151 Village Rd., Dearborn, Michigan. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Sept. 15. B-Sides St. John’s. Capital Hotel, 208 Kenmount Rd., St. John’s, Newfoundland, Canada. Free with registration.
  • Sept. 17. B-Sides St. Louis. Moolah Shrine, St. Louis, Missouri. Free.
  • Sept. 19-21. Iovation Presents Fraud Force “Fast Forward.” Portland Armory, 128 NW Eleventh Ave., Portland, Oregon. Tickets: $495.
  • Sept. 21. New York Cyber Security Summit. Grand Hyatt New York, 109 E. 42nd St., New York, New York. Registration: $250.
  • Sept. 26-28. The Newport Utility Cybersecurity Conference. Pell Center and Ochre Court, Salve Regina University, Newport, Rhode Island. Registration: before July 26, $1,200; after July 25, $1,600.
  • Sept. 27-28. SecureWorld Dallas. Plano Centre, 2000 E. Spring Creek Pkwy., Plano, Texas. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Sept. 29-30. B-Sides Ottawa. RA Centre, 2451 Riverside Drive, Ottawa, Canada. Free with registration.
  • Oct. 5-6. SecureWorld Denver. Colorado Convention Center, 700 14th St., Denver. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
  • Oct. 18. IT Security and Privacy Governance in the Cloud. 1 p.m. ET. Webinar moderated by Rebecca Herold, The Privacy Profesor. Free with registration.
  • Oct. 18-19. Edge2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before Aug. 15, $250; after Aug. 15, $300; educators and students, $99.
  • Oct. 18-19. SecureWorld St. Louis. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
  • Oct. 27. SecureWorld Bay Area. San Jose Marriott, 301 S. Market St., San Jose, California. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before September 3, Pounds 1,199 with VAT; before Oct. 29, Pounds 1,559 with VAT; after Oct. 28, Pounds 1,799 with VAT.
  • Nov. 9-10. SecureWorld Seattle. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.

Machine Learning

Forging more secure code during the application development stage will be more attractive to code warriors if the tools they’re given to do it are easier to use.

For instance, tools that can use machine learning to ferret out defects and repair them without human intervention would lighten the load on developers who find security testing a chore.

“Developers should have something that checks code for security problems like spellcheck works in Microsoft Word,” suggested Chandra Rangan, vice president for marketing at HP Enterprise.

“When these machine learning systems are introduced, one of their first uses will be testing software,” said Amol Sarwate, director of vulnerability labs at Qualys.

“Slowly, as confidence in the systems increases, they will be deployed on software after it’s released to provide even more protection,” he told TechNewsWorld.

Spellcheck for Code

There are advantages to moving security practices closer to the beginning of the software development cycle. “The earlier you do it, the more effective you will be, and the cheaper it will be to produce the software,” HPE’s Rangan told TechNewsWorld.

By automating the checking of code security flaws, errors can be found in a timely way.

“If you’re finding problems when the software is already working, you’re going to have a hard time fixing them, because you’ve passed most of the lifecycle stages,” said Israel Barak, CISO of Cybereason.

“Going back to the drawing board is going to be extremely expensive,” he told TechNewsWorld.

Human Factor

While more secure coding will better protect applications from attack, it too has limitations.

“As long as you’ve got humans designing logic, writing software and building systems, you’re going to have vulnerabilities,” said Ram Mohan, chief technology officer at Afilias.

What’s more, vulnerability protection might not scale.

“Vulnerabilities you think you may have protected your software [against] at one scale may show problems when the scale is increased by an order of magnitude,” Mohan told TechNewsWorld.

“That’s coming with IOT,” he added.