Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, October 11, 2007

Bringing Security into the Development Process

Vendors and analysts warn that the open culture of application development can lead to security vulnerabilities and data leaks.  When it comes to data leaks, most of the talk is about hackers breaking into networks or employees e-mailing and downloading sensitive information.  But some vendors are paying more attention to the preproduction environment, where there are often security holes big enough to push a hard drive through.  “The development environment and quality assurance environment have always been…significantly more open and free,” said Louis Carpenito, former vice president of information security business strategy at Symantec.

“The risks that have been prevalent throughout the years have been mostly risks of Trojans being implanted, allowing individuals to come in and steal information or commit fraud,” Carpenito said.

With this in mind, vendors such as Gamma Enterprise Technologies and Fortify Software are looking to improve security in the development phase. 

Gamma, based in Woodland Hills, Calif., offers a data obfuscation tool called InfoShuttle Data Security, to protect data in SAP development and test environments.  The tool accesses the InfoShuttle Content Library, a repository of SAP objects and relationships, to automatically detect all related fields deep in SAP’s data structures for identifying and masking confidential data.  In addition, it disguises data according to different rules, such as shuffling existing key fields and replacing data with unique generated numbers while maintaining consistency across multiple data tables, Gamma officials said.  “The development environment by its very nature is an open one with access granted to a wide range of in-house staff and often to outside contractors,” said Suzanne Swanson, executive vice president of Gamma.  “Enterprises really have to segment them off from the main network as a minimum, and make sure only strongly authenticated remote access is supported.

Security researchers at Fortify Software reported in their Oct. 9 white paper, “Attacking the Build through Cross-Build Injection,” a class of security vulnerabilities they are calling cross-build injection.

While external dependencies and open-source components do not necessarily represent an unacceptable security risk, Fortify’s researchers demonstrate that they deserve proper vetting to ensure they do not compromise the security of applications that make use of them.

“When software that depends on external components is built, an attacker may either target the server that hosts the open-source component or the DNS server that the build system uses to resolve the name of the remote server,” Jacob West, security research group manager at Fortify, said in an interview with eWEEK.,1759,2194543,00.asp

Posted on 10/11