Between Heartbleed, Shellshock and POODLE, 2014 was the year during which many businesses learned how vulnerable they are. As organisations across every industry increasingly rely on web, mobile and cloud applications to grow their businesses, the threat surface available to cyber attackers has dramatically expanded. At the same time, wide dependence upon open source has also opened up companies to the risk of cyber attacks by methods they didn’t even know were possible.
It’s not uncommon for the majority of applications to be composed of reusable open source and commercial third-party components such as libraries and frameworks (eg Struts2), because they help save time for developers and accelerate time-to-market. However, the use of reusable components with known vulnerabilities such as Heartbleed can also create critical cracks in an organisation’s security barriers.
With most businesses typically lacking visibility of the full breadth of their web application perimeters – let alone a comprehensive inventory of the components they reply on – finding and patching vulnerable applications is a difficult task. But with cyber criminals constantly scanning the internet looking for easily exploitable vulnerabilities, those companies that don’t seek them out stand no chance of finding them before they are breached.
This was the case for US-based healthcare provider Community Health Systems (CHS), which was breached in 2014 via the Heartbleed vulnerability. It is believed that Chinese cyber military units targeted the healthcare firm to perform cyber espionage about pharmaceutical trials and medical devices. Another potential motive was to steal personal health information and sell it on the black market to enable health insurance fraud or to blackmail particular individuals.
The Verizon Data Breach Investigations Report, released last year, found web application-layer vulnerabilities such as SQL injection to be the number one attack vector for successful data breaches (versus malicious email links or attachments, for example). The full gravity of this was felt in August when a breach by a Russian hacker ring amassed an enormous 1.2 billion username and password combinations and more than 500 million email addresses.
The question buyers of security products will be asking as we move into 2015 will be what can be done to reduce the risk of the next Heartbleed, Shellshock or POODLE. But as these vulnerabilities are almost limitless in number, the question becomes how to implement automated governance approaches to quickly identify and remove components with known vulnerabilities.
Software composition analysis (SCA), a term coined by Gartner, is a technique that will be crucial for businesses that wish to maximise the advantages of using reusable components without exposing themselves to unnecessary and potentially costly risks.
SCA creates an inventory of all components in your application portfolio (including their version numbers), whether they be open source, commercially developed, or private shared code used within an enterprise. It then identifies all components with known vulnerabilities, typically using a public database such as the National Vulnerability Database (NVD) from the US-based National Institute of Standards and Technology (NIST).
Frequently scanning all code for components that have known vulnerabilities using software composition analysis – in conjunction with static analysis, dynamic analysis and behavioural analysis (for mobile applications) – is emerging as a best practice for enterprises to ensure they are not at risk of critical application-layer vulnerabilities.
When adopting new cyber security tactics, such as SCA, experienced organisations are benefiting from the mentality that cyber security is never “done”. Rescanning as new vulnerabilities are discovered is essential. And if you don’t know what you’re looking for, you’ll never find it. To that end, we will likely never be able to completely prevent the exploitation of vulnerabilities by cyber attackers. However, provided that businesses are taking the necessary steps to continuously assess their security posture, we can significantly mitigate their impact.
Developers and security experts alike have worked hard to maintain the reputation of open source this year, despite the vulnerabilities to which it has exposed organisations. This relationship needs to continue to grow in 2015 and become increasingly mutually supportive.
Many developers who are conscious of these vulnerabilities are unable to make changes to the code and/or are unaware of updates addressing these flaws. Security experts need to share their expertise and provide secure alternatives for insecure components to help solve the problem at its core.
In 2014, we learned how vulnerable we really are. In 2015 we have the opportunity to work together to secure our frontiers and all our offerings, whether we’re a consumer, a developer, or a security expert.
Chris Wysopal is co-founder, CISO and chief technology officer of Veracode