Software Defects Still Key Factor in Data Loss

October 7, 2009 by ADMIN

Share |

By Danny Lieberman, Security Expert and Founder of Software Associates

A recent article on Internet Evolution written by Gideon Lenkey quotes the SANS Institute: “application software is a major vulnerability for enterprises“.

The root cause of application security vulnerabilities is usually design bugs, and often there are implementation defects.

This confirms findings from a research study I performed in 2007 which analyzed over 180 data theft events.

The empirical data showed that software bugs accounted for over 55% of the contributing vulnerability to the event (see the Business Threat Modeling study).

However, 100% of the data theft events were done by people who were able to exploit the application software vulnerabilities – usually in a rather simple-minded way.

For example, by typing in the account number of a banking customer in the query string of a home banking web application, it was possible to discover information about other bank customers.

All of the software security vulnerabilities were in the SANS Top 10.

Less than 5% of the data theft events involved social engineering but almost all of the data theft events involved a trusted insider colluding with a malicious outsider.

The study considered why organizations don’t do more to improve their production software quality.

Users are conditioned to accept unreliable software on their desktop and development managers are inclined to accept faulty software as a trade off to meeting a development schedule.
Executives, while committed to quality of their own products and services, do not find security breaches sufficient reason to become security leaders with their enterprise systems because:
They usually receive conflicting proposals for new information security initiatives with weak or missing financial justifications.
The recommended security initiatives often disrupt the business. ( Top-down Security, Alan Paller,SANS Institute )

The one vulnerability that is politically correct to mitigate is the trusted insider – employees and contractors.

An advantage with working at the human level is that responsibility and action can be shared by IT with HR and contracts management.

Ethical behavior for employees can be reinforced using cheap and simple methods such as a 1-2 page AUP (acceptable usage policy).

A hinge factor for AUP is monitoring and enforcement – when monitored and enforced – an AUP is a hig cost-effective security countermeasure against the vulnerabilities contributing to a data breach.

Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.

Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 - he is always looking for interesting projects and ideas.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.