Over a million developers have joined DZone.

Software Security Lessons Learned from the Uber - Federal Trade Commission Dust-Up

DZone's Guide to

Software Security Lessons Learned from the Uber - Federal Trade Commission Dust-Up

As surprising as it might seem, even software companies as big as Uber sometimes fail to implement proper security protocols, which can lead to a world of trouble.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Although many start-ups suffer from a lack of security policies and procedures due to the perceived notion that other things need to take priority over security, it is not uncommon among more established organizations to lag in this area too. Even organizations that have security policies will often not have sufficiently detailed or up-to-date application security policies and procedures, resulting in weaker security and privacy. The Federal Trade Commission (FTC) announced [1] that Uber agreed to implement a comprehensive privacy program that requires independent, periodic audits done by an approved third-party because Uber failed to live up to claims that they took reasonable steps to protect personal data.

Weak or Non-Existent Security Practices

The FTC ruling noted that Uber security practices failed to provide reasonable security to prevent unauthorized access to clients' personal information in databases in an Amazon S3 Datastore. Engineers and programmers were not required to use distinct access keys to access personal information stored in the cloud. Instead, they used a single key that gave them full administrative access to all the data. Access to systems was not restricted based on employees' job functions. Multi-factor authentication was not required to access the data, and sensitive consumer information was stored in plaintext in database back-ups stored in the cloud. Until September 2014, Uber failed to have a written information security program and failed to implement reasonable security training and guidance.

Due Care Security Practices

When an organization makes claims about the security of their systems and data, they need to be backed up with written documentation (policies and procedures) and tangible actions to ensure that systems and data are sufficiently protected as per the claims. The FTC found that Uber's claims of implementing "...a strict policy prohibiting all employees at every level from accessing a rider or driver's data" and that "...access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis..." [2] were not accurate. There was a failure to implement sufficient "due care" security practices at that time to support the privacy and security claims.

Due care is a legal term of art, which "...refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances." [3]

Although there is no formal definition of what due care application security activities consist of, there is a large body of publicly available knowledge including the OWASP Top Ten and other regulations and standards that describe the types of controls and activities that should be done. [4] [5] [6]. Interestingly, the FTC, in other rulings, has specified the types of due care application security activities they are expecting. [7] [8]

Lessons Learned

Organizations should be reserved in making claims about security and privacy if they aren't being done in a manner that would be commensurate with reasonable expectations. Otherwise, it's important to ensure that security and privacy claims are actually being met with the appropriate level of security controls and procedures.

It's less expensive to build security in from the outset. As the FTC complaint noted, "Respondent could have prevented or mitigated the failures ... through relatively low-cost measures." Uber is now required to have an independent privacy audit every two years which will be expensive and time-consuming.

While there are countless things organizations can do to reduce software security risk, some high -impact ones include: limiting your attack surface, a primary tenant of security. This can be accomplished by applying the principle of least privilege in several ways. First, remove all software from clients and servers that aren't required. Consider Adobe Flash - it is found on almost every computer, and not usually necessary for day-to-day operations. Yet, it is riddled with security vulnerabilities and significantly expands your vulnerability footprint. Additionally, uninstall and disable features of software and services that aren't essential. For example, most Java vulnerability exploits are carried out via web browser plug-ins. Most browsers allow the ability to disable plugins in the security and privacy settings. Make this part of your Information Security policies and review.

Additional measures to reduce risk include:

  • Continuously grow and improve the application security program as the organization grows. Technologies, systems, and attacks are constantly changing, and the application security program needs to adapt to those changes.
  • Staff generally want to do the right thing, but they can only do so by having documented security policies and procedures that are comprehensive and up-to-date. General information security policies and procedures are not sufficiently detailed for development teams. You need to have more contextual and technology specific application security policies and procedures as well.
  • Since employees are needed to design, build, and test applications anyway, hire security-knowledgeable developers and testers or bring in consultants as temporary staff with the right application security skillsets. Make sure job descriptions include secure coding and testing requirements.
  • Where the team lacks deep security knowledge, provide role-based training to get them up to speed. This means providing an understanding of the kinds of attacks systems and data they are likely to encounter, how to architect secure systems, how to code securely, and how to conduct threat-based application security testing.
  • Ensure that software and systems are built using a consistent Software Development Lifecycle (SDLC) with security engineering activities integrated throughout, including threat modeling, code reviews, and penetration testing.
  • Institute a bug bounty program. Depending on the size of your teams and the amount of code, an internal test team may not be sufficient. A bug bounty program is part of a comprehensive plan and not an alternative for actual penetration testing.
  • Conduct scheduled security audits by third-party professionals who have the experience and neutrality to understand how your applications are putting you or your customers at risk.

The lessons from Uber are valuable for all types of organizations. Building secure software and protecting the critical data that it's storing and processing requires well-defined policies and procedures and a high-level mandate.

[1] The settlement: https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_decision_and_order.pdf

[2] The complaint: https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf

[3] http://definitions.uslegal.com/d/due-care/

[4] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

[5] https://blog.securityinnovation.com/new-york-state-adds-application-security-requirements-to-its-cybersecurity-regulation

[6] www.ipa.go.jp/files/000028853.pdf

[7] https://blog.securityinnovation.com/ftc-issues-sanctions-for-insecure-software

[8] https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,security compliance ,insider threats

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}