Three Brass Monkeys

Why We Mustn't Take Security For Granted

Just because we "Hear No Evil, Speak No Evil and See No Evil" doesn't mean that it isn't there. This is how we should think when considering application security, the day you see an attack, you hear about an attack or are spoken to about an attack it's already too late. Not hearing about attacks is a good thing but not to be taken for granted. If you are a software house and one of your systems is attacked, this can be enormously damaging to the image of the company. It could if you haven't included certain disclaimers in your license agreement, be crippling for the company as you may also be liable for damages.

For all you know you may already have been hacked and not even know it, if the hacker was good, only when you start to take security seriously and look might you discover.

Is Legislation the Answer?

Currently, governments are talking about creating legislation to force software houses to give greater consideration to security.

What exactly that would mean is yet unclear because there isn't a clear line where you could say that the company is at fault, it would be very much open to interpretation. It may be that companies have to demonstrate that they have taken certain precautions for example:

• that they have implemented/used secure coding practices
• that they have certified members of staff that perform code reviews
• that they have used tools to analyze binaries or sources automatically

Perhaps it would only be applied in cases where the company is clearly negligent because they have not taken any precautions to protect the interests of their customers or maybe the laws will be more stringent.

It would be extremely difficult to lay the blame entirely at the feet of the software developers, where should the line be drawn. Often a product may rely on system libraries which may themselves have security holes and as such need updating regularly, at best the software house could release a bulletin averting the customer. Therefore, if the customer is not updating their systems responsibly they should equally be liable for any breaches that occur.

Likewise, everybody can make mistakes but if certain procedures have been put in place to try and alleviate any of these mistakes and the company can demonstrate paperwork to that effect then it may be that this is sufficient to demonstrate that the company isn't negligent.

You can read the points of view of a couple of others bloggers with regard to the question of legislation here and here

One thing is certain security needs to be taken more seriously with the ever increasing number of breaches that we are seeing.

What Precautions Should We Be Taking?

Things that we should certainly be doing to improve security in the industry are:

• Code Signing
• Encrypting Sensitive Data
• Secure Coding Practice Training
• Code reviews (NOT just functional)
• Static Analysis (Binary and Source)
• Penetration Testing
• Staying up to date on security advisories
• Logging to trace intrusions
• Log analysis/reporting
• Certification
• Single Sign-On (Kerberos/SAML/OAuth)

Things that customers should be doing to protect themselves:

• Encrypting their data
• Restricting Access
• Regular Backups (including off-site)
• Keeping libraries up to date
• Using a firewall
• Using an antivirus
• Using spam filters
• Using anti-phishing filters
• Training to protect against social engineering attacks.

This is just the tip of the iceberg but it's a start. As I become more informed in this area of expertise I will keep you up to date with the latest techniques.