If you love online banking, shopping online or using apps on your mobile phone, you’re putting a lot of trust in an amazingly complex software ecosystem. You’re trusting this software with your finances, health care information and much more. When a company gets hacked, the reaction from the public is typically outrage. While it’s okay to blame them for mishandling vulnerabilities and breaches, we should recognize the overwhelming speed and complexity of modern information technology.
Let’s focus on one of the riskiest pieces of the ecosystem — the internet-facing web application. We’ll use the hypothetical BigBank as an example. BigBank.com is a typical online banking website that also includes all the application programming interfaces (APIs) used by mobile devices and other clients. Fundamentally, BigBank is actually a software company that does banking, with more developers than most technology firms. Nevertheless, BigBank only has about 15 people focused on application security, and they are responsible for securing the entire portfolio of thousands of apps like BigBank.com, the vast majority of which get no security attention. They are sitting ducks.
Every day, BigBank.com receives hundreds of thousands of requests from customers. Every time you click a link or submit a form, it pulls the data from your request, makes calculations, updates databases, checks the mainframe, sends messages and then finally sends the results back to your browser. BigBank.com receives hundreds of these requests simultaneously and processes them all through billions of paths through the code.
The complexity of BigBank.com is staggering — far beyond what a single developer could ever fully understand. It consists of almost two million lines of custom Java code and another 50 million lines of open source Java libraries. That’s much bigger than the size of the US Federal Tax “code” and at least as hard to parse. While some parts of BigBank.com are brand new, most of it is over a decade old. To stay secure, BigBank has to keep up with verifying all the code they produce, dealing with dozens of new open source vulnerabilities every week and handling novel attack techniques across their entire portfolio multiple times a year.
BigBank.com gets attacked hundreds of times every day. The vast majority of these attacks are seeking vulnerabilities called SQL injection, cross-site scripting and file path injection, which are all attempts to trick the bank into disclosing information, draining accounts or corrupting its data. In some cases, they are trying to completely take over the computer the bank runs on. Once that happens, attackers can gain full control of everything the computer knows and can do everything it can do.
The bad guys are constantly probing for chinks in BigBank.com’s armor. The problem is, BigBank.com doesn’t have any code to detect these attacks, so one can see them. Network protections like firewalls are useless because unless you really understood the code, you could never tell what requests are attacks. Companies like BigBank are put in an awful dilemma. Generally, attacks start within a day of vulnerability disclosure, but it takes many organizations months to figure out if they’re vulnerable, update the library, adapt their code, rebuild, retest both features and security and redeploy.
As a consumer, here’s what you can do to protect yourself:
1. Ask companies for details about what protections they use to protect your data. Ask whether they use encryption, strong authentication, runtime protection and other modern defenses. How do they detect attacks and prevent exploitation?
2. Request information about how their software is built. Ask whether they can share the threat model. Does it address not only their protection but yours? What training are developers given? How is software tested for security?
3. Do business with organizations that take security seriously. Do they participate in the security community? Is there an obvious way to report a vulnerability? Do they share the details of their application security program?
4. Examine their record of publishing and handling vulnerabilities in their software. Don’t rule out companies that have published vulnerabilities. The ones that haven’t published any either haven’t implemented good security testing, or they don’t care about you enough to publish them.
5. Consider how they have responded to breaches.Some organizations respond sincerely and make changes to address successful attacks. Beware of the companies that attempt to bury, blame and bribe their way out of it.
BigBank isn’t an anomaly — this is the story of most of the websites you love. What do you think? How can we change the software market to encourage companies to do better?
Agree? Disagree? Have better ideas? Let me know in the comments below.