Application Security
4/20/2015
11:30 AM
Rutrell Yasin
Rutrell Yasin
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

DHS: Most Organizations Need Improvement In Managing Security Risk

At a Department of Homeland Security Summit, government and corporate security teams are taken to task for failing to address critical issues of software assurance, testing and lifecycle support.

Government agencies and organizations in the private sector must place more emphasis on software analysis, testing and life-cycle support to mitigate threats exploiting known vulnerabilities and new avenues opened up by the use of open source and re-used software components, according to the Department of Homeland Security (DHS).

Joe Jarzombek, director for software and supply chain assurance with the DHS, made the remarks at the recent CISQ IT Risk Management and Cybersecurity Summit, and stated that federal agencies need dedicated teams to accomplish these tasks. The summit provided insights and best practices about how to mitigate vulnerabilities from a development and acquisition management perspective.

During the summit Jarzombek highlighted several trends affecting software development and acquisition, and advised organizations to address these as they plan out and implement security programs.

Security is the backbone of software assurance. Software quality, or managing the effects of unintentional defects in a component or system, has been a major focus in applying software assurance. Safety, another aspect of software assurance, is managing the consequences of unintentional defects. Security is the process of managing the consequences of attempted or intentional actions that are targeting exploitable construct processes or behaviors.

According to Jarzombek security is the part that organizations are not handling well today. He noted that basic ‘cyber hygiene’ including effective patch management is one of the keys to raising the bar of protection and completing the security loop. Data suggests that 80 percent of exploitable vulnerabilities are the result of a failure to install effective patch management programs, configuration management programs and software update programs.

Bob Dix, VP of Policy for Juniper Networks and a former House Oversight and Government Reform Committee member suggested there was a need for a global, comprehensive and sustained security awareness campaign. CISQ, an IT industry group, is one organization working to introduce a computable metrics standard for software quality at the source code level.

Third-party code and plug-ins are the achilles heel of web applications. Most software is composed of open source and reused components laden with known vulnerabilities, Jarzombek explained. That means that more software products and information, communications and technology (ICT) products with programmable logic are being pre-installed with malware. “Does that mean the developer had malicious intent?” Jarzombek asked. Not necessarily. The developers weren’t paying attention as they pulled down a module. To combat this, organizations need policies in place to identify these risks and thwart potential risk of attack.

SQL Injection and Cross-Scripting constitute the more frequent and dangerous vector of attacks. IT managers are deploying firewalls, intrusion prevention systems and demilitarized zones, but still wonder why their systems are compromised. They are being exploited at the “soft underbelly of the enterprise” – application software. People know about cross-scripting and SQL injection attacks, but don’t understand it. “Someone on your team should know exactly what [these attacks] do and what they are trying to exploit,” Jarzombek said. These attacks and their exploits are known as common weakness enumeration (CWE). The attacks and how to defend against them can be found in a free online community dictionary hosted by Mitre Corp. and sponsored by the Homeland Security Department.

The supply chain is emerging as a favorite attack target. This trend opens up the door for more tainted products with malware and exploitable weaknesses being passed onto enterprises and consumers. The world is increasingly dependent on a global supply chain that uses globally-sourced ICT hardware, software, and services. These products and services have varying levels of development and outsourcing controls and varying levels of acquisition due-diligence as well as a lack of transparency in the process chain of custody.

One fix is for organizations to familiarize themselves with identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. Both the National Institute of Standards and Technology (NIST) (Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations) and the DHS (Software Supply Chain Risk Management and Due-Diligence) have published useful guides on this topic.

The importance of software testing and lifecycle support. These measures are critical since no single automated security tool or method will be effective. A few years ago, DHS initiated the Car Wash program – “testing applications against exploitable weaknesses before we accept them” and “providing life-cycle support to check for new reported vulnerabilities and to make sure we stay updated with relevant patches”, said Jarzombek.

Attendees at the summit shared specific lessons-learned through the application of a disciplined methodology, supplemented by a suite of tools implemented by skilled practitioners. One concept discussed was the concept of software code quality checking (SCQC), which scans source code, executables and related artifacts to ensure that a system under review can continue with development, demonstration and testing. The Department of Defense noted that on its better systems they go through five test cycles, basically working out bugs in the code not functional defects. The department’s IT specialists then look at the code to see whether it merits further evolution throughout the process, and can meet performance, maintainability and usability requirements within cost, schedule and other system constraints.

Focus on sharing. As government and industry establish more information sharing and analysis centers to counter cyber threats, the focus should be on more than the threats and blocking them but on what, those threats are attempting to exploit. Earlier technical testing can help, and finding the easiest practical exercise within that security ring to achieve as much security as possible is the best solution. “We have to talk of the associated attack patterns and exploit targets along with mitigating courses of action in terms that are machine-exchangeable, so we can share this information at wire speed (based on organizational sharing policies),” Jarzombek cautioned .

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.