Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/20/2015
11:30 AM
Rutrell Yasin
Rutrell Yasin
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

DHS: Most Organizations Need Improvement In Managing Security Risk

At a Department of Homeland Security Summit, government and corporate security teams are taken to task for failing to address critical issues of software assurance, testing and lifecycle support.

Government agencies and organizations in the private sector must place more emphasis on software analysis, testing and life-cycle support to mitigate threats exploiting known vulnerabilities and new avenues opened up by the use of open source and re-used software components, according to the Department of Homeland Security (DHS).

Joe Jarzombek, director for software and supply chain assurance with the DHS, made the remarks at the recent CISQ IT Risk Management and Cybersecurity Summit, and stated that federal agencies need dedicated teams to accomplish these tasks. The summit provided insights and best practices about how to mitigate vulnerabilities from a development and acquisition management perspective.

During the summit Jarzombek highlighted several trends affecting software development and acquisition, and advised organizations to address these as they plan out and implement security programs.

Security is the backbone of software assurance. Software quality, or managing the effects of unintentional defects in a component or system, has been a major focus in applying software assurance. Safety, another aspect of software assurance, is managing the consequences of unintentional defects. Security is the process of managing the consequences of attempted or intentional actions that are targeting exploitable construct processes or behaviors.

According to Jarzombek security is the part that organizations are not handling well today. He noted that basic ‘cyber hygiene’ including effective patch management is one of the keys to raising the bar of protection and completing the security loop. Data suggests that 80 percent of exploitable vulnerabilities are the result of a failure to install effective patch management programs, configuration management programs and software update programs.

Bob Dix, VP of Policy for Juniper Networks and a former House Oversight and Government Reform Committee member suggested there was a need for a global, comprehensive and sustained security awareness campaign. CISQ, an IT industry group, is one organization working to introduce a computable metrics standard for software quality at the source code level.

Third-party code and plug-ins are the achilles heel of web applications. Most software is composed of open source and reused components laden with known vulnerabilities, Jarzombek explained. That means that more software products and information, communications and technology (ICT) products with programmable logic are being pre-installed with malware. “Does that mean the developer had malicious intent?” Jarzombek asked. Not necessarily. The developers weren’t paying attention as they pulled down a module. To combat this, organizations need policies in place to identify these risks and thwart potential risk of attack.

SQL Injection and Cross-Scripting constitute the more frequent and dangerous vector of attacks. IT managers are deploying firewalls, intrusion prevention systems and demilitarized zones, but still wonder why their systems are compromised. They are being exploited at the “soft underbelly of the enterprise” – application software. People know about cross-scripting and SQL injection attacks, but don’t understand it. “Someone on your team should know exactly what [these attacks] do and what they are trying to exploit,” Jarzombek said. These attacks and their exploits are known as common weakness enumeration (CWE). The attacks and how to defend against them can be found in a free online community dictionary hosted by Mitre Corp. and sponsored by the Homeland Security Department.

The supply chain is emerging as a favorite attack target. This trend opens up the door for more tainted products with malware and exploitable weaknesses being passed onto enterprises and consumers. The world is increasingly dependent on a global supply chain that uses globally-sourced ICT hardware, software, and services. These products and services have varying levels of development and outsourcing controls and varying levels of acquisition due-diligence as well as a lack of transparency in the process chain of custody.

One fix is for organizations to familiarize themselves with identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. Both the National Institute of Standards and Technology (NIST) (Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations) and the DHS (Software Supply Chain Risk Management and Due-Diligence) have published useful guides on this topic.

The importance of software testing and lifecycle support. These measures are critical since no single automated security tool or method will be effective. A few years ago, DHS initiated the Car Wash program – “testing applications against exploitable weaknesses before we accept them” and “providing life-cycle support to check for new reported vulnerabilities and to make sure we stay updated with relevant patches”, said Jarzombek.

Attendees at the summit shared specific lessons-learned through the application of a disciplined methodology, supplemented by a suite of tools implemented by skilled practitioners. One concept discussed was the concept of software code quality checking (SCQC), which scans source code, executables and related artifacts to ensure that a system under review can continue with development, demonstration and testing. The Department of Defense noted that on its better systems they go through five test cycles, basically working out bugs in the code not functional defects. The department’s IT specialists then look at the code to see whether it merits further evolution throughout the process, and can meet performance, maintainability and usability requirements within cost, schedule and other system constraints.

Focus on sharing. As government and industry establish more information sharing and analysis centers to counter cyber threats, the focus should be on more than the threats and blocking them but on what, those threats are attempting to exploit. Earlier technical testing can help, and finding the easiest practical exercise within that security ring to achieve as much security as possible is the best solution. “We have to talk of the associated attack patterns and exploit targets along with mitigating courses of action in terms that are machine-exchangeable, so we can share this information at wire speed (based on organizational sharing policies),” Jarzombek cautioned .

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26788
PUBLISHED: 2021-03-08
Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthentic...
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.