The drive for efficiencies, lower overheads and digitization has meant software development has never been more important. However, that very drive is also becoming a potential security issue.
The days of bespoke programming, where code was specifically written for projects, are all but over, as increasingly complex products require huge amounts of programming. Those development and time costs and aren’t low and, as a result, the software development industry has changed dramatically, with companies now using ‘off the shelf’ code along with their own, internally written programming to handle tasks. And that’s a potential problem.
How do you vet the security of external scripts or code? How do you assess the internal security of the company that developed it? How does your company find out if third party programming was incorporated into a product?
These are questions that companies are now beginning to ask themselves in the wake of several attacks on systems via third party code.
Info-security magazine has highlighted this weak link, noting that cyber criminals and APT groups have identified this area as one they can easily exploit, circumventing security in the process.
“Attackers have clearly identified this weakest link in the software supply chain – being able to breach high-profile companies without ever having to go near their servers or code. Witness the major attacks that took place last year, including the Magecart attacks on British Airways and Ticketmaster. The holy grail is to now target dependencies or scripts which are developed by third-parties and used by thousands of companies – something that we now have come to know as supply chain attacks.”
According to them, “The OWASP Top 10 Application Security Risks prominently features “Using Components with Known Vulnerabilities”, stating that “Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application.” With one single attack on a very small company or developer, attackers can breach thousands of major enterprises.”
The threat posed by third party code is becoming apparent to CISOs, and is growing. This week, reports emerged that security vulnerabilities in peer-to-peer (P2P) software iLnkP2P was reported by Krebs on Security and picked up by the media. The issue could affect millions of Internet of Things (IoT) devices globally and, despite being reported to the Chinese developers, no fix has yet been announced.
Researchers suggest that the software vulnerability could allow hackers access to all IoT devices using the iLinkP2P solution, from CCTV cameras, smart devices and baby monitors.
Although we do not know whether ‘off the shelf’ code was used, it does once again highlight the vulnerabilities faced by private individuals and companies due to complexity and cost of bespoke coding, versus the quick and easy programming fix.
The threats posed by vulnerabilities in the software supply chain are likely to make headlines again later this year, when adoption of Strong Consumer Authentication (SCA) comes into force, as part of The Second Payment Services Directive (PSD2), announced by the EU in December 2015. The new rules will require additional layers of authentication for different types of transactions and there are almost certain to be teething issues, as retailers struggle to meet the new requirements. Will that lead to cut corners? We will have to wait and see…