Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/25/2020
02:00 PM
Shahar Sperling
Shahar Sperling
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Do DevOps Teams Need a Company Attorney on Speed Dial?

In today's regulatory and legislative environment, companies and individuals are exposed to lawsuits over security breaches, resulting in significant fines and ending careers.

To err is human, and developers writing code err as often as any other humans. The industry average for programmers, in fact, is as many as 70 errors per 1,000 lines of code. Testing looks for errors and tries to catch as many as possible before a product goes to market.

Before releasing their applications, companies will test functionality, as errors in functionality could result in customer dissatisfaction and be embarrassing for the company. This could have a negative effect on sales and the organization's market position.

However, testing needs to be done on security issues as well. While releasing a functionally poor application could be embarrassing and bad for sales, releasing a vulnerable application can have far greater consequences. In today's regulatory and legislative environment, companies, as well as individuals, are exposed to lawsuits over security breaches, resulting not only in significant fines but the end of careers.

It seems that almost every data breach becomes fodder for legal action. In one of the biggest cases in recent years, international hotel chain Marriott faces numerous class-action lawsuits (some are still pendingover a data breach in which information from some 500 million guest records ended up in the hands of hackers. Investigators determined that the 2018 leak was likely due to a remote access Trojan ending up on the server that held the records, which allowed hackers to take control of admin accounts.

The trouble began when Marriott acquired hotel chain Starwood and continued using its reservation system. Between the chaos of trying to get a handle on the Starwood data and the continued use of an old, malware-laden system — and the elimination of the jobs of many of the Starwood IT staff — Marriott was charged with negligence in securing its data, leading to the wave of lawsuits. It's estimated that the breach, including settlements, legal fees, etc., has cost the company around $30 million in direct costs, in addition to a fine of £99 million imposed by the European Union under GDPR statutes. And that doesn't include the potential lost revenue due to customers shying away from a chain where customer data has been compromised by hackers multiple times.

The Marriott case is one of many. In another recent example, franchisees who own Snap Fitness outlets are suing the mother company for requiring them to purchase club management software, which turned out to be flawed, subjecting them to ransomware attacks. Because of the bad code that they were forced to utilize, "the franchisees lost all their data and the ability to operate their clubs for 13 days, causing all Snap Fitness franchisees to suffer significant losses of revenues, profits, and club members."

Lawsuits aren't confined to dissatisfied tech partners. In a twist, company shareholders are suing support firm Zendesk for what they allege is an attempt to cover up a 2016 security breach. News of that breach only came out in October 2019, and it followed a poor showing in second-quarter financial results for the company. By failing to disclose the breach, investors who bought shares in the firm between 2016 and the revelation of the breach were in essence defrauded, the lawsuit contends, because the revelation of the breach is likely to drive down the price of their shares. Zendesk officials took advantage of the cover-up, the plaintiffs say, to "cash in, selling approximately 409,000 of their personally held Zendesk shares, reaping more than $32.7 million in proceeds."

The lawsuit was filed recently, but it's likely to discuss not just the fraud aspects of the allegation, but the nature of the breach — which, as Zendesk is a software firm, may include security holes in its software.

Face it, mistakes are going to happen — and in the DevOps environment, it's crucial to find those mistakes as early in the development cycle as possible.  

However, many of the mistakes that teams are looking for are the ones that affect program functionality. Searching for mistakes that could lead to breaches and hacker attacks, while even more crucial, often does not get the same priority. A button that does the wrong thing may get complaints from customers, along with a good dose of embarrassment on social media, but it's unlikely to land the company in a courtroom facing tens of millions of dollars in liability. A security vulnerability that goes undetected, on the other hand, could.

When DevOps teams are reviewing the pipeline, they may want to invite someone from the legal department in to the discussion, just to make sure everyone knows what's at stake. There is no time like the present to evaluate your DevSecOps, to make sure every effort has been made to find any issues. That's the differentiator between a negligence suit and no suit at all, and between a bankrupting-sized fine to a slap on the wrist.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Shahar Sperling is the Chief Architect at HCL AppScan. He has had 23 years of experience in professional software development, spending the last 13 years with the AppScan team, developing various products and technologies. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...