Information security & Importance – Part II
Driving Factors for Software Security
Many managers have the misconception that they test everything before software is delivered. They believe that firewall and SSL are perfect protective mechanisms for their applications. Many feel that if automated scanners are used to detect security problems, it will cover all security issues and the software can remain secure forever. Here are some risks due to insecure applications
- If corporate website is defaced then reputation is at stake
- If intranet applications are malfunctioning then operations are impacted
- Organization’s knowledge and IPR assets can be stolen
- Infrastructure management, configuration management, monitoring and services can be stopped which will lead to production losses
Attackers discovered sophisticated ways to exploit vulnerabilities into software in past few years. It is high time for managers to add security efforts into development cycle. Following are some of the reasons for increased awareness and push on software security investments:
When business is so much dependent on software and when software fails to preserve confidentiality, integrity and availability of business data; customers will lose their faith from such software and possibly from the IT management team also. If software developed through outsourcing, single instance of vulnerability exploitation could lead to contract cancellation. Such failures become an advantage for competitors and it becomes challenging to win new accounts.
It takes a huge amount of time and millions of rupees to build a brand and it just takes an incident to appear in the news to tarnish the brand. Companies impacted by cyber attacks suffer losses of 1%-5% immediately due to damage to the reputation.
With increasing legal and regulatory requirements for compliance, application risk management is in focus. Sarbanes-Oxley mandates compliance for any system, process or application that deals with the reporting of financial data. Most of the organizations store financial data in electronic form and access it via an application. Non-compliance may lead to huge fines or prosecution.
Maintaining privacy of user’s data became important due to various compliances around the world. Standards like HIPAA mandate privacy and security of protected health information. Applications that store / process / access health information need to comply with this standard. Non-compliance would lead to penalties and prosecution.
Data protection act and PCI DSS compliance possess significant penalty norms for companies who fail to deploy appropriate technical and organizational measures against accidental loss, destruction or damage to personal data. It also applies to unauthorized or unlawful processing of personal data. Such penalties reduce profit and impact the financials of the company.
Insecure software may lead to a financial breach or a fraud which can make the company financials look bad. Apart from lost business opportunities, labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources, legal cost associated with collection of forensic evidences and supporting law enforcement agencies will further spoil financials. Public relations consulting costs, satisfying customers queries, press & media management along with increased insurance premiums impacts financials heavily.
Why Businesses Pay Special Attention for Securing Software?
Most of the software in past had problems. They may or may not be tagged as security problem however they used to produce undesirable results under certain conditions. These days software security is getting attention from businesses that was never considered before. Following are major reasons:
There is a growing dependence of business on software systems. Most of the businesses automated their critical functions and with advent of net everything is accessible through net. Demand for rich functionality and usability increased program complexity by increasing number of lines written in multiple of thousands. Even legacy applications are ported on internet through web services. Personal information like insurance and health records stored into electronic format and managed using software. Online banking and shopping are way of life. Software that manages such businesses are integrated to provide end to end support. For such delicate systems, insecure software along with naive, careless or disgruntled employees is a bigger threat. Each automated process need equal or more amount of security.
To exploit a software weakness, adversary needs a path or access to software. Earlier attackers required physical access machines to exploit vulnerability however today software is available online and so as vulnerability. While you are sleeping, someone in the other part of the world is waking up to try exploiting your application. Accessibility has improved sophistication and widened opportunity window for attacks.
Extendability is one of the acceptance criteria for most of the software solutions and these days most of the software developed using component based model in mind. Plug-in architecture, dynamic call formation, variable inputs, program control based on user inputs, command formation depending on input type are natural choices to extend software however failure to verify input and trust causes software exploitation.
Software development and deployment technologies are growing very fast. Think about web applications, earlier applications were using cgi then php, asp and jsp, today frameworks like.Net and J2EE, HTML 5 are used. Before one technology matures another arrives. Before security issues related to one technology identified, a new loopholes are created.
Software development is no longer static task where one can address requirement with planned schedule, budget and infrastructure; expectations are increased from software systems. To satisfy new complex functional requirements, new components large in number, complexity and size are to be over existing operational system and downtime is unacceptable. This whole gamut requires paradigm shift in how software are being developed.
Software Security Problem and Root Case for Software Insecurity
Meeting customer’s functional requirement takes top priority compared to security because functional requirements completion is visible. Most of the times, functional requirements are not analyzed properly to identify security requirements. Customer assumes that security is one of the delivery parameter and manager assumes that special security requirements are not written.
There is also a misunderstanding that developers always write secure code however facts is developers are never taught secure coding. They use sloppy coding practice (i.e. copy paste code from web) to meet functional requirements.
Sometimes ready-made application layer firewall is used to protect coding mistakes. They are in evolution phase and they provide security against few attacks.
Configuration mistakes are done by software administrators. They own software deployment process however they are not aware of program functionality so it is likely to happen that attacker will be either able to play with configurations or software.
Current state of software security is very depressing. Operating system vendors have reasonably improved security over a period of time so cyber criminals have moved their focus to application stack. There are very high chances that attackers will exploit a custom made application than operating system because it is more beneficial and easy.
Everyone’s involvement is required in deploying overall security program. Network security specialist try their best with firewalls and other mechanisms however if you ask them frankly, they will definitely admit that they are not confident about how these mechanisms will secure the software. They can’t because each software is ubiquitous in nature; they process different set of input/out and work on diverse platform.
At the same time developers lack maturity for secure development. There are no tools or processes available to develop secure applications. Adding complexity to above gap, with existing frameworks it is difficult to build secure application.
Developers with secure programming skills are needed to build secure application. They are assets to the team. They address security issues during various phases of development life cycle. They amend vulnerabilities. Many a times they work as liaison between application development and security team. They also sell security to management.
Adopting Software Security is a Challenge?
We are delivery centric industry. We try to achieve cost / schedule / quality metrics. We often forget that security is hidden expectation from customer. In enthusiasm of meeting deadline we sometime neglect security and a small loophole is used to compromise security.
Security is as strong as its weakest link. Software development is human intensive task; they can make security stronger or weaker. Dealing with human resource is a challenging and more interesting task compared to dealing with other resources. Every one has unique set of thinking, ambition and ego. Software security implementation enforces accountability for each task so uniform awareness is a key factor however Budget for security awareness is always under critical scrutiny as it is considered as operational expenditure not learning expenditure.
Another reason is reluctant to change and places where things are not happening in discipline manner lots of changes are required to make things secure. That is why security is inversely proportional to flexibility and usability.
Next to come up in the 3rd and concluding post in this series of Information security and importance, we talk about differences between Software security and Software quality & application security. We also throw some light on relation of security with other properties of software and finally we burst myths surrounding Software security. Don’t miss it!