Posted by Fred Bals on Monday, April 16th, 2018
It’s nearly an all-Tim Mackey issue of Software Integrity Insight as our technical evangelist weighs in on data breaches, container adoption, GitHub, and open source serverless applications. Other stories in this week’s software integrity news include the SirenJack vulnerability, a security vulnerability potentially putting warning sirens across the city of San Francisco at risk, and more.
via Synopsys Software Integrity: It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from 7.ai. The 7.ai breach then expanded to include Kmart and Best Buy a few days later.
Everything is going IoT
via IoT Now: There’s a little bit of embedded technology connecting to the internet in nearly all new devices. The types of “things” going internet-enabled include tea kettles (seriously), trainers (sneakers), and televisions. Also, things that may not be connected to the Internet but are often connected to a local network include medical devices like pacemakers and insulin pumps. This trend, says Art Dahnert, managing consultant at Synopsys, Inc., has been occurring for several years now and it doesn’t look like it will be stopping at any point soon. The problem is that too many things in the Internet of Things (IoT) are also getting hacked.
via all-electronics.de (Germany): The actual open-source projects themselves may have their software analyzed statically by commercial providers and usually do so (scan.coverity.com). For example, a public database at https://nvd.nist.gov provides Known Vulnerabilities for open source components. But that does not mean that these problems will be remedied—on the contrary. According to a study by the company Black Duck Software, in medical technology 46 percent of all applications examined contain open source components, of which 46 percent contain high-risk components.
via Synopsys Software Integrity: As application development teams are pressured to deliver software faster than ever, containers offer clear advantages. Docker debuted to the public in 2013, and since then there have been over 29 billion Docker container downloads. Benefits of containerization: 66% of organizations adopting containers experienced accelerated developer efficiency, and 75% of companies achieved an increase in application deployment speed.
via eWeek: A security vulnerability put at risk warning sirens across the city of San Francisco, according to a report released by security firm Bastille Networks on April 10. Bastille said the vulnerability, which it dubbed “SirenJack,” could have enabled an attacker to broadcast a false alarm that would have impacted millions of people. The SirenJack vulnerability specifically impacts warning sirens developed by ATI Systems and deployed in multiple locations around the United States.
via SC Magazine: An audit of 1,000 open-source serverless applications carried out by serverless security company PureSec has revealed that 21 percent of such applications feature critical security vulnerabilities that can be exploited by hackers to either manipulate them or to carry out malicious operations. Stating that he personally supports PureSec’s attempts to increase awareness of the security risks associated with API usage, Tim Mackey, technical evangelist for Black Duck by Synopsys told SC Magazine UK that serverless application owners must pay attention to any API they consume and assume that without independent validation any number of security issues may be present. “In addition to the security nature of API execution, recent media coverage of data breaches also demonstrates that anyone consuming an API should be aware of how any data presented will be used and potentially stored,” he added.
Via Infosecurity Magazine: “The core concept of functions-as-a-service (FaaS), or serverless functions, is to define an API for consumption,” explained Tim Mackey, technical evangelist for Black Duck. “These APIs can provide basic services intended for integration into a larger application. By decoupling the API from the core business logic, security paradigms which would normally apply to a discrete application at a higher level now need to be implemented in the API function.” For example, a discrete user-facing application will often implement its input sanitization routines at the point of user input. The sanitized data is then freely manipulated within the application to return a result to the end user. If those internal data manipulation routines are broken out to become discrete API services, the input sanitization rules could easily be omitted when the API was refactored. “The net result being unexpected data could be presented to the function—with correspondingly unexpected results,” Mackey added. “If that API function proves valuable to others, those new consumers may not be aware of the lack of input sanitization and the associated security risks.”
via Enterprise Tech: Other security analysts note that the underlying concept behind serverless functions is defining an API for providing basic services within a larger application. “By decoupling the API from the core business logic, security paradigms which would normally apply to a discrete application at a higher level now need to be implemented in the API function,” noted Tim Mackey, a security specialist with Black Duck. While the PureSec security audit focused on open-source serverless projects, Mackey noted that “this risk potentially exists in any API regardless of whether it’s considered serverless.”
via TechBeacon: While developers appear keen to act on the information they’re getting from GitHub, that might not be the case with enterprises, many of which cache “approved” versions of components in local repositories. Tim Mackey, a technical evangelist at Black Duck Software, said enterprises do that to ensure that whatever happens upstream doesn’t break their applications. “From a security perspective, a barrier to information flow is created, which limits the effectiveness of GitHub’s efforts to apply the dependency information to a security problem,” Mackey said.
via CAST: CAST, the leader in Software Intelligence, today announced new research evaluating the structural quality of open source software (OSS). The growing popularity and widespread use of OSS in enterprise applications helps developer teams work faster, yet this efficiency may come at a cost to the robustness, efficiency and security of those applications meant to support business functions. The Software Intelligence Report benchmarks the overall quality of OSS compared to software built in-house or by outsourced teams.
via Synopsys Software Integrity: As firms consistently strive to become more agile, cloud and containers can help them build software faster and deliver continuously. At the same time, many firms fear that adding security to DevOps practices can severely slow down processes. With GitHub and Black Duck by Synopsys, firms can automate secure development workflows, shift security left, and avoid software rot.
Get the latest AppSec news and trends sent directly to you.