Application Security

4/20/2015
11:30 AM
Rutrell Yasin
Rutrell Yasin
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

DHS: Most Organizations Need Improvement In Managing Security Risk

At a Department of Homeland Security Summit, government and corporate security teams are taken to task for failing to address critical issues of software assurance, testing and lifecycle support.

Government agencies and organizations in the private sector must place more emphasis on software analysis, testing and life-cycle support to mitigate threats exploiting known vulnerabilities and new avenues opened up by the use of open source and re-used software components, according to the Department of Homeland Security (DHS).

Joe Jarzombek, director for software and supply chain assurance with the DHS, made the remarks at the recent CISQ IT Risk Management and Cybersecurity Summit, and stated that federal agencies need dedicated teams to accomplish these tasks. The summit provided insights and best practices about how to mitigate vulnerabilities from a development and acquisition management perspective.

During the summit Jarzombek highlighted several trends affecting software development and acquisition, and advised organizations to address these as they plan out and implement security programs.

Security is the backbone of software assurance. Software quality, or managing the effects of unintentional defects in a component or system, has been a major focus in applying software assurance. Safety, another aspect of software assurance, is managing the consequences of unintentional defects. Security is the process of managing the consequences of attempted or intentional actions that are targeting exploitable construct processes or behaviors.

According to Jarzombek security is the part that organizations are not handling well today. He noted that basic ‘cyber hygiene’ including effective patch management is one of the keys to raising the bar of protection and completing the security loop. Data suggests that 80 percent of exploitable vulnerabilities are the result of a failure to install effective patch management programs, configuration management programs and software update programs.

Bob Dix, VP of Policy for Juniper Networks and a former House Oversight and Government Reform Committee member suggested there was a need for a global, comprehensive and sustained security awareness campaign. CISQ, an IT industry group, is one organization working to introduce a computable metrics standard for software quality at the source code level.

Third-party code and plug-ins are the achilles heel of web applications. Most software is composed of open source and reused components laden with known vulnerabilities, Jarzombek explained. That means that more software products and information, communications and technology (ICT) products with programmable logic are being pre-installed with malware. “Does that mean the developer had malicious intent?” Jarzombek asked. Not necessarily. The developers weren’t paying attention as they pulled down a module. To combat this, organizations need policies in place to identify these risks and thwart potential risk of attack.

SQL Injection and Cross-Scripting constitute the more frequent and dangerous vector of attacks. IT managers are deploying firewalls, intrusion prevention systems and demilitarized zones, but still wonder why their systems are compromised. They are being exploited at the “soft underbelly of the enterprise” – application software. People know about cross-scripting and SQL injection attacks, but don’t understand it. “Someone on your team should know exactly what [these attacks] do and what they are trying to exploit,” Jarzombek said. These attacks and their exploits are known as common weakness enumeration (CWE). The attacks and how to defend against them can be found in a free online community dictionary hosted by Mitre Corp. and sponsored by the Homeland Security Department.

The supply chain is emerging as a favorite attack target. This trend opens up the door for more tainted products with malware and exploitable weaknesses being passed onto enterprises and consumers. The world is increasingly dependent on a global supply chain that uses globally-sourced ICT hardware, software, and services. These products and services have varying levels of development and outsourcing controls and varying levels of acquisition due-diligence as well as a lack of transparency in the process chain of custody.

One fix is for organizations to familiarize themselves with identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. Both the National Institute of Standards and Technology (NIST) (Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations) and the DHS (Software Supply Chain Risk Management and Due-Diligence) have published useful guides on this topic.

The importance of software testing and lifecycle support. These measures are critical since no single automated security tool or method will be effective. A few years ago, DHS initiated the Car Wash program – “testing applications against exploitable weaknesses before we accept them” and “providing life-cycle support to check for new reported vulnerabilities and to make sure we stay updated with relevant patches”, said Jarzombek.

Attendees at the summit shared specific lessons-learned through the application of a disciplined methodology, supplemented by a suite of tools implemented by skilled practitioners. One concept discussed was the concept of software code quality checking (SCQC), which scans source code, executables and related artifacts to ensure that a system under review can continue with development, demonstration and testing. The Department of Defense noted that on its better systems they go through five test cycles, basically working out bugs in the code not functional defects. The department’s IT specialists then look at the code to see whether it merits further evolution throughout the process, and can meet performance, maintainability and usability requirements within cost, schedule and other system constraints.

Focus on sharing. As government and industry establish more information sharing and analysis centers to counter cyber threats, the focus should be on more than the threats and blocking them but on what, those threats are attempting to exploit. Earlier technical testing can help, and finding the easiest practical exercise within that security ring to achieve as much security as possible is the best solution. “We have to talk of the associated attack patterns and exploit targets along with mitigating courses of action in terms that are machine-exchangeable, so we can share this information at wire speed (based on organizational sharing policies),” Jarzombek cautioned .

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.