Every company that sells software as a product or relies on software to facilitate its way of working must have a solid understanding of software security. But where should you start?
A vast range of security issues could affect modern companies — from app security to international data privacy to geopolitically-motivated hacking attempts.
To help companies better understand software security vulnerabilities — and how to prevent them — we’ll provide four examples of real-life security breaches in large businesses. As well as describing the event in detail, we’ll suggest a few lessons you can learn from the breach to help you enhance the efficiency of your own security team.
4 Software Security Vulnerabilities (and What We Can Learn from Them)
In 2017, US-based credit reporting company Equifax suffered a catastrophic security breach that led to the personal details of 143 million Americans (more than 40% of the US population) being stolen from their database.
A key vulnerability was identified in Apache Struts, an open-source framework for developing websites used by thousands of companies — including Equifax. The vulnerability allowed hackers to “trick” Apache Struts into executing malicious code, which opened up the system to further intrusion.
The vulnerability used by the hackers was widely known, and a patch was available. However, due to what Equifax referred to as “a breakdown in internal processes” the patch went unapplied. In plain English, this means it was the responsibility of a small team or single individual to ensure all the relevant software was up to date. Those responsible either did not apply the update or did so improperly, leading to the breach.
The key lesson is that procedure is just as important as security software — even if a fix is identified, someone still needs to apply it in a timely and efficient manner. Businesses need to reinforce the importance of regularly patching software (and security in general) as overlooking even minor updates could have dire consequences.
Additionally this highlights that regular monitoring of an organisation’s software estate is vital – just because an issue has been identified and a team tasked with resolving this, doesn’t mean that it gets done.
Veeam is a US-based data management firm making over $1 billion USD annual revenue. In 2018, a Veeam server containing millions of customers’ personal records was found to be publicly searchable and thus accessible to phishers, spammers, and other virtual scammers. The database was not password-protected and could be accessed by anyone knowing where to look online.
Over 200GB of data was on the server, including names, email addresses, and IP addresses. While not particularly sensitive on their own, these details can still be used by bad actors in the pursuit of gaining access to vital data like financial information.
Good software security means being constantly vigilant. Data forensics found the database was vulnerable for over a week without being noticed, and the problem wasn’t even identified internally. Veeam was alerted to this vulnerability by independent security researcher Bob Diachenko, who stumbled upon it while looking into similar database incidents.
Companies must regularly check and update the security of their databases to ensure they’re the first to know about a problem. As well as the obvious security concerns, being alerted to software security vulnerabilities by external individuals can damage a company’s reputation and diminish customer confidence.
One of the more recent security incidents involving a large corporation occurred in 2021, when a misconfiguration in Facebook’s contact importer allowed hackers to access the personal information of 533 million users, which was then publicly posted on a hacking forum.
Facebook’s parent company Meta responded quickly, saying that the vulnerability that allowed the data to be retrieved was actually a previously resolved misconfiguration from 2019. Although the data was posted in 2021, any data collection had occurred earlier and the vulnerabilities fixed.
Misconfigurations are mistakes made by the people creating the relevant server. If your team is unsure of how to implement or build a particular system, companies need to access staff with the right level of knowledge to do the job properly.
In particular, misconfigurations in cloud computing allows hackers significant access to your systems: 88% of US government agencies consider cloud misconfigurations to be a top software security threat. Creating cloud-based systems requires different knowledge bases, so ensure you have a well-rounded team before considering this type of project.
While now resolved, a significant vulnerability was identified in the widely used logging tool Log4j. The vulnerability, which may have gone unnoticed for months, allowed attackers to access systems using the tool to extract data or take control of systems themselves.
The wide usage of Log4j means those unaware are still using older versions: although the issue was identified in December 2021, 40% of users are still downloading code with old, unsecured versions of Log4j.
Third-party resources, no matter how popular or widely used, must be treated with caution. Although all software developers should be aware that open-source content should be vetted before use and updated frequently, the Log4j vulnerability highlighted that this is not the case.
Even the most common piece of open-source software could have a critical vulnerability. Team leaders need to monitor what resources the team uses or leverage automated tools to ensure software security vulnerabilities are identified quickly.
Enhance the Efficiency of Your Risk Analysis with BlueOptima
As we’ve shown, software security vulnerabilities can have serious consequences. With BlueOptima’s Code Insights tool, you can identify and eliminate those vulnerabilities early in the development process.
As well as identifying vulnerabilities, our Code Insights tool can prioritise issues, significantly reducing the cost of exposure by showing developers the areas of most and least concern.
If you’re interested in what BlueOptima can do for you, click here to request a free software composition analysis scan today.
What is Static Application Security Testing (SAST)?
Static Application Security Testing (SAST) is a vital technique used…Read More
The Importance of Internal Mobility for Retaining Top Talent
The workforce landscape has changed dramatically over the past few…Read More
Understanding the Software Development Lifecycle (SDLC)
The Software Development Lifecycle (SDLC) is a systematic process outlining…Read More
Bringing objectivity to your decisions
Giving teams visibility, managers are enabled to increase the velocity of development teams without risking code quality.
out of 10 of the worlds biggest banks
of the S&P Top 50 Companies
of the Fortune 50 Companies