September 17, 2018 by Marina Kelly
You’re probably aware of the massive data breach that Equifax suffered last year. To recap, it started with a vulnerability in the Apache Struts MVC framework: a vulnerability that Apache knew about, had created a patch for, and had announced the need to patch, but that Equifax failed to patch. Two months after Equifax should have fixed the vulnerability, hackers used it to access the system, exposing the records of over 150 million people and permanently damaging the credit firm’s reputation.
This scenario highlights a widespread issue. Even in organizations where cybersecurity is taken seriously, secure development is not always properly understood or prioritized. This is where the OWASP Top 10 comes in. OWASP (Open Web Application Security Project) regularly releases a list of the 10 “most critical security risks to web applications.” This list outlines what developers need to be aware of as they plan and create applications, web sites, and APIs, and assists them--as well as supervisors and other higher-ups--in understanding how to mitigate risk. The Top 10 is straightforward enough for laymen to understand, providing entire organizations with insight into the development process and a framework for accountability and security. Additionally, it serves to prioritize secure coding as an integral piece of a company’s framework, and the developer as an important stakeholder.
Which brings us to an important point: as a developer, your role is not just to consider coding security as an isolated event. With your code forming the backbone of an organization’s applications, any weakness could expose the organization to attack even if other parts of the enterprise are secure. As a result, secure coding needs to be acknowledged and practiced within a broader information security mindset. This means not just technically following the Top 10, not just practicing minimal communication with the rest of the organization about plans or concerns, but instead actively treating the work you do as an integral--perhaps the most integral--building block of total corporate security. The Top 10 list is meant to help accomplish this, but will only be successful if you actively work to maintain this mindset.
If this all seems overwhelming, a great place to start is by integrating secure coding practices into your Software Development Lifecycle (SDLC). Resources like the Top 10 should figure prominently in the SDLC because they help remind developers which common flaws to look for and how to avoid them. The best SDLC is one that incorporates a security mindset. By its very nature, each step of the lifecycle prioritizes thought, careful examination, and an overall consideration for what the application or API is designed to do and how it’s supposed to work. It also comes with built-in checks and balances, meant to help developers avoid flaws and build consistently secure programs.
Developers can also help to create and advocate for a Configuration Management program. Configuration Management (CM) ensures that an organization is not only creating secure configurations for its software and hardware assets, but also that these are maintained over time to reflect changes to systems. Experts recommend that during the component access process, developers need to apply policy controls to proactively address security vulnerabilities, especially for open-source components. They also recommend that internal repositories be used to provision components, as well as not allowing the download of components directly from the Internet. CM is highly recommended by OWASP as a mitigation strategy.
Another great focal point is the creation and maintenance of a strong Patch Management Program. As per the Financial Services - Information Sharing and Analysis Center (FSISAC), “Vulnerability patching is a difficult and resource-intense issue but is necessary to protect an organization's technology. Research indicates that while only 10% of known vulnerabilities are routinely exploited, enterprises continue to struggle to apply critical patches given IT resource constraints. We have all heard this before, yet we continue to see large incidents, breaches and ransomware where unpatched, vulnerable software was a central enabler of the attack.” This is another process that is strongly recommended by OWASP. If a robust Patch Management process had been properly followed by the developers at Equifax, it’s unlikely that the Apache Struts vulnerability would have slipped through the cracks for as long as it did.
As developers, we are responsible for our companies’ security in a unique, and often overlooked, way. Prioritizing that responsibility, and using tools like the OWASP Top 10, will help us create more secure applications, web sites, and APIs by substantially investing in their protection and maintenance. When properly followed by all developers, this mindset will transform the way the organization as a whole thinks about development, and ensure better security throughout our organizations, from the bottom to the top.
To learn more about OWASP and the ways in which the Top 10 can help direct the way you code and prioritize programming as an important element of security, please click here to view our recent webinar.Read More...