Application Security

4/20/2015
11:30 AM
Rutrell Yasin
Rutrell Yasin
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

DHS: Most Organizations Need Improvement In Managing Security Risk

At a Department of Homeland Security Summit, government and corporate security teams are taken to task for failing to address critical issues of software assurance, testing and lifecycle support.

Government agencies and organizations in the private sector must place more emphasis on software analysis, testing and life-cycle support to mitigate threats exploiting known vulnerabilities and new avenues opened up by the use of open source and re-used software components, according to the Department of Homeland Security (DHS).

Joe Jarzombek, director for software and supply chain assurance with the DHS, made the remarks at the recent CISQ IT Risk Management and Cybersecurity Summit, and stated that federal agencies need dedicated teams to accomplish these tasks. The summit provided insights and best practices about how to mitigate vulnerabilities from a development and acquisition management perspective.

During the summit Jarzombek highlighted several trends affecting software development and acquisition, and advised organizations to address these as they plan out and implement security programs.

Security is the backbone of software assurance. Software quality, or managing the effects of unintentional defects in a component or system, has been a major focus in applying software assurance. Safety, another aspect of software assurance, is managing the consequences of unintentional defects. Security is the process of managing the consequences of attempted or intentional actions that are targeting exploitable construct processes or behaviors.

According to Jarzombek security is the part that organizations are not handling well today. He noted that basic ‘cyber hygiene’ including effective patch management is one of the keys to raising the bar of protection and completing the security loop. Data suggests that 80 percent of exploitable vulnerabilities are the result of a failure to install effective patch management programs, configuration management programs and software update programs.

Bob Dix, VP of Policy for Juniper Networks and a former House Oversight and Government Reform Committee member suggested there was a need for a global, comprehensive and sustained security awareness campaign. CISQ, an IT industry group, is one organization working to introduce a computable metrics standard for software quality at the source code level.

Third-party code and plug-ins are the achilles heel of web applications. Most software is composed of open source and reused components laden with known vulnerabilities, Jarzombek explained. That means that more software products and information, communications and technology (ICT) products with programmable logic are being pre-installed with malware. “Does that mean the developer had malicious intent?” Jarzombek asked. Not necessarily. The developers weren’t paying attention as they pulled down a module. To combat this, organizations need policies in place to identify these risks and thwart potential risk of attack.

SQL Injection and Cross-Scripting constitute the more frequent and dangerous vector of attacks. IT managers are deploying firewalls, intrusion prevention systems and demilitarized zones, but still wonder why their systems are compromised. They are being exploited at the “soft underbelly of the enterprise” – application software. People know about cross-scripting and SQL injection attacks, but don’t understand it. “Someone on your team should know exactly what [these attacks] do and what they are trying to exploit,” Jarzombek said. These attacks and their exploits are known as common weakness enumeration (CWE). The attacks and how to defend against them can be found in a free online community dictionary hosted by Mitre Corp. and sponsored by the Homeland Security Department.

The supply chain is emerging as a favorite attack target. This trend opens up the door for more tainted products with malware and exploitable weaknesses being passed onto enterprises and consumers. The world is increasingly dependent on a global supply chain that uses globally-sourced ICT hardware, software, and services. These products and services have varying levels of development and outsourcing controls and varying levels of acquisition due-diligence as well as a lack of transparency in the process chain of custody.

One fix is for organizations to familiarize themselves with identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. Both the National Institute of Standards and Technology (NIST) (Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations) and the DHS (Software Supply Chain Risk Management and Due-Diligence) have published useful guides on this topic.

The importance of software testing and lifecycle support. These measures are critical since no single automated security tool or method will be effective. A few years ago, DHS initiated the Car Wash program – “testing applications against exploitable weaknesses before we accept them” and “providing life-cycle support to check for new reported vulnerabilities and to make sure we stay updated with relevant patches”, said Jarzombek.

Attendees at the summit shared specific lessons-learned through the application of a disciplined methodology, supplemented by a suite of tools implemented by skilled practitioners. One concept discussed was the concept of software code quality checking (SCQC), which scans source code, executables and related artifacts to ensure that a system under review can continue with development, demonstration and testing. The Department of Defense noted that on its better systems they go through five test cycles, basically working out bugs in the code not functional defects. The department’s IT specialists then look at the code to see whether it merits further evolution throughout the process, and can meet performance, maintainability and usability requirements within cost, schedule and other system constraints.

Focus on sharing. As government and industry establish more information sharing and analysis centers to counter cyber threats, the focus should be on more than the threats and blocking them but on what, those threats are attempting to exploit. Earlier technical testing can help, and finding the easiest practical exercise within that security ring to achieve as much security as possible is the best solution. “We have to talk of the associated attack patterns and exploit targets along with mitigating courses of action in terms that are machine-exchangeable, so we can share this information at wire speed (based on organizational sharing policies),” Jarzombek cautioned .

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.