Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup episode.
via SC Magazine: The 2018 Open Source Security and Risk Analysis Report – the latest in a series of annual reports on the topic from Synopsys – analyzed more than 1,100 commercial code bases in industries ranging from automotive to healthcare, financial services, manufacturing, and cyber security.
via Naked Security: Pushing out a patch in three hours? That’s got to be too good to be true. But, it is true. It’s just that, yeah, it’s not the whole truth.
via Security Ledger: For decades we’ve been hearing about the growing threat of a major cyber attack on US critical infrastructure that could take down portions of the grid, cripple or destroy water distribution systems, shut down Wall Street, healthcare facilities, and more.
Hello, and welcome to another edition of the Weekly Security Mashup. I’m Taylor Armerding, senior security strategist with the Synopsys Software Integrity Group, and I’m here to talk a bit about what’s trending in software security and insecurity, including how to improve your own security.
So, starting from the top. If you’re a fan of open source software—and most people must be, given that it is now at least a component of nearly every application out there—a new report has some good news, along with some urgent recommendation for better security. The 2018 Open Source Security and Risk Analysis report (you can call it OSSRA)—the latest on the topic from Synopsys—analyzed more than 1,100 commercial codebases in industries ranging from automotive to healthcare, financial services, manufacturing, and cyber security.
It found, and SC Media U.K. reported, explosive growth in open source adoption—a 75% increase from the previous year, which means it was a component of 96% of the applications audited. That, according to at least some of its advocates, ought to be good for security as well, since because it is open, vulnerabilities get spotted and fixed much more quickly. The slogan is “Many eyes make all bugs shallow.”
Apparently not. Black Duck found that 78% of the audited codebases contained at least one open source vulnerability, up from 67% the previous year. Among those, 54% were rated high-risk, and 17% high-profile, including Freak, Heartbleed, and Poodle. Cyber security apps didn’t do a whole lot better—41% of them had vulnerabilities.
This does not mean open source code is any worse than proprietary. Black Duck’s Tim Mackey told SC Media that “many eyes” isn’t just a theory—that it offers real benefits. But, he said, users have a responsibility as well, since tools are available to help them not just find bugs but, you know, actually fix them. “They need to adopt policies and automated tools to help them select secure, high-quality open source components from the outset, and then patch them when critical vulnerabilities are disclosed,” he said.
And Ian Trump, chief technology officer at Octopi Research Lab, added that the findings don’t mean the sky is falling. He said the “vast majority of those vulnerabilities are not remote code executable with user level privileges.” And he’s also a fan of “many eyes.” “Sunlight and scrutiny of code is the best debug technique out there,” he said.
Page 2: Too good to be the whole truth. Pushing out a patch in three hours? That’s got to be too good to be true. Well, it’s true. It’s just that, yeah, it’s not the whole truth.
So, first the good part: As anybody in the cyber security industry knows, it can feel a bit like an endless game of Whac-a-Mole. Patch one vulnerability, and the bad guys discover another one—or two or three or a dozen. So it’s nice to hear when the good guys whack the mole quickly—in this case, a matter of hours.
There were multiple reports this week that researchers discovered a serious cross-site scripting vulnerability affecting all desktop versions of the encrypted chat app Signal. You know, the one that has received the ultimate endorsement—from Edward Snowden. They said an attacker posing as a contact could exploit it to send a message containing a malicious URL to set up a range of code injection compromises using image, audio, or iFrame tags—even if the victim does nothing more than participate in the conversation.
There is a bit of disagreement about how bad it is—or was, since it’s been patched. John Dunn of the Naked Security blog wrote that it didn’t amount to “a compromise of the software’s end-to-end encryption, but it would be helpful to an attacker trying to trick a would-be victim into giving up information about themselves.” But Swati Khandelwal of The Hacker News said researchers showed it would be possible for an attacker to “successfully steal all Signal conversations of the victims in plaintext just by sending them a message.”
Almost unbelievably, a fix was available only three hours after Signal acknowledged the report. But that’s where the “too good” part comes in. It wasn’t quite the blindingly rapid response that it may have appeared to be. Dunn pointed out that the fix “had originally been part of an update in mid-April that wasn’t applied for reasons unknown.”
Also, this was not the only recent problem for Signal. Dunn noted that just days earlier, a different flaw was discovered in the Mac desktop application, in which some time-limited or deleted messages were being copied to the notifications buffer. And Signal was also among apps plagued by a vulnerability disclosed just days ago in Electron, a software framework also used by Skype, Slack, Discord, WordPress.com, and numerous others.
In other words, Whac-a-Mole lives! And patching takes more than a few hours. But hey—you have to take bits of good news where you can find them.
Page 3: Apocalypse soon?
Well, for decades we’ve been hearing about the growing threat of a major cyber attack on U.S. critical infrastructure that could take down portions of the grid, cripple or destroy water distribution systems, shut down healthcare facilities, and more, much more. Former Defense Secretary Leon Panetta and others have called it an impending “Cyber Pearl Harbor.”
Well, Internet of Things security firm Pwnie Express is out with its fourth annual report on why they believe the nightmare is increasingly likely—because it is increasingly easy, thanks to “The Internet of Evil Things” (the title of the report).
There are lots of depressing details in the report, but among the most troubling are that awareness doesn’t necessarily lead to action. The company found that “64 percent of respondents are more concerned about connected device threats, with IoT devices at the top of the list. Yet, slightly fewer are checking their wireless devices than last year.” In short, “2018 marks the fourth consecutive year where perceptions and awareness of cyberattacks outpace prevention and action,” they said.
Which is especially troubling, given that there are tools to make the software running your connected devices a much more difficult target. But you have to use them.
And that’s our advice for this week. The Weekly Security Mashup is a group effort, so thanks again to our social media queen and producer, Beth Gannett; to our content gurus, Liz Samet and Mark Van Elderen; to our Final Cut pro, Rachel Felson; and to our beloved team leader, Cameron Caswell. And thanks to you for watching. Help us spread the word using your social media magic. Tweet it, link it, share it, and come back again next week. Until then, stay safe, stay secure, and help make others secure. I’m Taylor Armerding for the Synopsys Software Integrity Group. We help organizations build secure, high-quality software faster.