Application Security

4/20/2015
11:30 AM
Rutrell Yasin
Rutrell Yasin
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

DHS: Most Organizations Need Improvement In Managing Security Risk

At a Department of Homeland Security Summit, government and corporate security teams are taken to task for failing to address critical issues of software assurance, testing and lifecycle support.

Government agencies and organizations in the private sector must place more emphasis on software analysis, testing and life-cycle support to mitigate threats exploiting known vulnerabilities and new avenues opened up by the use of open source and re-used software components, according to the Department of Homeland Security (DHS).

Joe Jarzombek, director for software and supply chain assurance with the DHS, made the remarks at the recent CISQ IT Risk Management and Cybersecurity Summit, and stated that federal agencies need dedicated teams to accomplish these tasks. The summit provided insights and best practices about how to mitigate vulnerabilities from a development and acquisition management perspective.

During the summit Jarzombek highlighted several trends affecting software development and acquisition, and advised organizations to address these as they plan out and implement security programs.

Security is the backbone of software assurance. Software quality, or managing the effects of unintentional defects in a component or system, has been a major focus in applying software assurance. Safety, another aspect of software assurance, is managing the consequences of unintentional defects. Security is the process of managing the consequences of attempted or intentional actions that are targeting exploitable construct processes or behaviors.

According to Jarzombek security is the part that organizations are not handling well today. He noted that basic ‘cyber hygiene’ including effective patch management is one of the keys to raising the bar of protection and completing the security loop. Data suggests that 80 percent of exploitable vulnerabilities are the result of a failure to install effective patch management programs, configuration management programs and software update programs.

Bob Dix, VP of Policy for Juniper Networks and a former House Oversight and Government Reform Committee member suggested there was a need for a global, comprehensive and sustained security awareness campaign. CISQ, an IT industry group, is one organization working to introduce a computable metrics standard for software quality at the source code level.

Third-party code and plug-ins are the achilles heel of web applications. Most software is composed of open source and reused components laden with known vulnerabilities, Jarzombek explained. That means that more software products and information, communications and technology (ICT) products with programmable logic are being pre-installed with malware. “Does that mean the developer had malicious intent?” Jarzombek asked. Not necessarily. The developers weren’t paying attention as they pulled down a module. To combat this, organizations need policies in place to identify these risks and thwart potential risk of attack.

SQL Injection and Cross-Scripting constitute the more frequent and dangerous vector of attacks. IT managers are deploying firewalls, intrusion prevention systems and demilitarized zones, but still wonder why their systems are compromised. They are being exploited at the “soft underbelly of the enterprise” – application software. People know about cross-scripting and SQL injection attacks, but don’t understand it. “Someone on your team should know exactly what [these attacks] do and what they are trying to exploit,” Jarzombek said. These attacks and their exploits are known as common weakness enumeration (CWE). The attacks and how to defend against them can be found in a free online community dictionary hosted by Mitre Corp. and sponsored by the Homeland Security Department.

The supply chain is emerging as a favorite attack target. This trend opens up the door for more tainted products with malware and exploitable weaknesses being passed onto enterprises and consumers. The world is increasingly dependent on a global supply chain that uses globally-sourced ICT hardware, software, and services. These products and services have varying levels of development and outsourcing controls and varying levels of acquisition due-diligence as well as a lack of transparency in the process chain of custody.

One fix is for organizations to familiarize themselves with identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. Both the National Institute of Standards and Technology (NIST) (Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations) and the DHS (Software Supply Chain Risk Management and Due-Diligence) have published useful guides on this topic.

The importance of software testing and lifecycle support. These measures are critical since no single automated security tool or method will be effective. A few years ago, DHS initiated the Car Wash program – “testing applications against exploitable weaknesses before we accept them” and “providing life-cycle support to check for new reported vulnerabilities and to make sure we stay updated with relevant patches”, said Jarzombek.

Attendees at the summit shared specific lessons-learned through the application of a disciplined methodology, supplemented by a suite of tools implemented by skilled practitioners. One concept discussed was the concept of software code quality checking (SCQC), which scans source code, executables and related artifacts to ensure that a system under review can continue with development, demonstration and testing. The Department of Defense noted that on its better systems they go through five test cycles, basically working out bugs in the code not functional defects. The department’s IT specialists then look at the code to see whether it merits further evolution throughout the process, and can meet performance, maintainability and usability requirements within cost, schedule and other system constraints.

Focus on sharing. As government and industry establish more information sharing and analysis centers to counter cyber threats, the focus should be on more than the threats and blocking them but on what, those threats are attempting to exploit. Earlier technical testing can help, and finding the easiest practical exercise within that security ring to achieve as much security as possible is the best solution. “We have to talk of the associated attack patterns and exploit targets along with mitigating courses of action in terms that are machine-exchangeable, so we can share this information at wire speed (based on organizational sharing policies),” Jarzombek cautioned .

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14084
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for MKCB, an Ethereum token. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell().
CVE-2018-14085
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for UserWallet 0x0a7bca9FB7AfF26c6ED8029BB6f0F5D291587c42, an Ethereum token. First, suppose that the owner adds the evil contract address to his sweepers. The evil contract looks like this: contract Exploit { uint public start; function swe...
CVE-2018-14086
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell(...
CVE-2018-14087
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for EUC (EUC), an Ethereum token. The contract has an integer overflow. If the owner sets the value of buyPrice to a large number in setPrices() then the "msg.value * buyPrice" will cause an integer overflow in the fallback functio...
CVE-2018-14088
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for STeX White List (STE(WL)), an Ethereum token. The contract has an integer overflow. If the owner sets the value of amount to a large number then the "amount * 1000000000000000" will cause an integer overflow in withdrawToFounde...