Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Wednesday 26 August 2009, 6:39 PM
SQL injection attacks point to need for more secure software
The most recent identity theft attack to hit the headlines (http://news.bbc.co.uk/1/hi/business/8206305.stm) was apparently the biggest case of identity theft in the USA. Like an increasing number of such attacks, it exploited weaknesses in web based applications by using the well known technique of ‘SQL injection’ to access and steal 130 million credit card numbers. Hackers understand that there have been significant investments made to protect network, database and server assets and have moved on to attack the application layer. Today they are less interested in causing corporate havoc, and more interested in stealing data. Their attacks therefore are designed to evade detection and move through the easiest door to get to the prize.
At a recent (ISC)2 Secure London seminar the keynote speaker from IBM Internet Security, James Rendell, said that IBM’s X-Force security labs had tracked a 30 x increase in ‘SQL injection’ attacks in the last six months. He suggested that cyber criminals liked them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—i.e. they don’t have to recognise the underlying operating system or even the database because they take advantage of the Web front ends that companies are applying to all of their applications.
Rendell also pointed out that more than half of all software vulnerabilities are web application based, however the issue here isn’t just about web application software, it’s a matter of the bad software architecture and design that is endemic in much software. Too often security holes are known vulnerabilities that just weren’t tracked properly in the development process. With patching becoming an increasing burden, wouldn’t the economics now warrant pushing the issues and costs back to the software vendors?
We know that software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. But the time to change is now. Software teams need to establish more sound security standards and raise awareness among stakeholders across the software development lifecycle of the importance of addressing security concerns. While many argue that secure coding techniques have been developed, the approach is too limited. This is not an issue for software coding alone.
John Colley, managing director for EMEA of (ISC)2
At a recent (ISC)2 Secure London seminar the keynote speaker from IBM Internet Security, James Rendell, said that IBM’s X-Force security labs had tracked a 30 x increase in ‘SQL injection’ attacks in the last six months. He suggested that cyber criminals liked them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—i.e. they don’t have to recognise the underlying operating system or even the database because they take advantage of the Web front ends that companies are applying to all of their applications.
Rendell also pointed out that more than half of all software vulnerabilities are web application based, however the issue here isn’t just about web application software, it’s a matter of the bad software architecture and design that is endemic in much software. Too often security holes are known vulnerabilities that just weren’t tracked properly in the development process. With patching becoming an increasing burden, wouldn’t the economics now warrant pushing the issues and costs back to the software vendors?
We know that software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. But the time to change is now. Software teams need to establish more sound security standards and raise awareness among stakeholders across the software development lifecycle of the importance of addressing security concerns. While many argue that secure coding techniques have been developed, the approach is too limited. This is not an issue for software coding alone.
John Colley, managing director for EMEA of (ISC)2
Friday 7 August 2009, 10:50 AM
Do we all have a role in the UK’s Cybersecurity Strategy?
I think we do – everyone from the private sector in particular IT and Information Security professionals – has a role to play. Not in the least because the UK Cyber Security Strategy requires a lot to be defined. It’s a starting point, albeit a good one, but it doesn’t offer much insight into how the eight work streams assigned to the new UK Office of Cyber Security are going to be achieved; and very little has been communicated on the budget requirements. So the next logical step is for us all to play a part, rather than sit back and wait for the government to define every detail of something that means so much to every one of us.
Those of us with the knowledge, the professionals who have dedicated our careers to tackling cyber security issues, have a critical responsibility to help the rest of society, which has a very steep learning curve to climb. It really is time to get involved: Efforts to improve security awareness are proliferating, with many reaching out to children, small business people and communities. (ISC)2 ‘s cyber security awareness portal is a good example. The Cyber Exchange uses videos, presentations, posters and more supplied by top experts in the information security field, our members, to help spread the word on the secure Internet use. It’s time to find an initiative or start one within your own community or workplace. Or consider lending your expertise within a consultation group directly linked to one of the defined work streams: Safe, Secure and Resilient Systems, Policy; Doctrine and Regulatory Issues; Awareness and Culture Change; Skills and Education; Technical Capabilities and Research; Exploitation; International Engagement; and Governance Roles and Responsibilities. I for one am looking forward to participating in working groups examining the skills and education situation in this country.
At the very minimum, each and every professional should have read the document by now and considered how well their own organisations are managing these areas. After all this is an opportunity to highlight them with management as well. But more than this it’s an opportunity to really influence a Secure Digital Britain. What are you doing?
John Colley
Managing director for EMEA of (ISC)2
(ISC)2 is a non-profit consortium that represents more than 3,000 information security professional members in the UK and 66,000 globally.
Those of us with the knowledge, the professionals who have dedicated our careers to tackling cyber security issues, have a critical responsibility to help the rest of society, which has a very steep learning curve to climb. It really is time to get involved: Efforts to improve security awareness are proliferating, with many reaching out to children, small business people and communities. (ISC)2 ‘s cyber security awareness portal is a good example. The Cyber Exchange uses videos, presentations, posters and more supplied by top experts in the information security field, our members, to help spread the word on the secure Internet use. It’s time to find an initiative or start one within your own community or workplace. Or consider lending your expertise within a consultation group directly linked to one of the defined work streams: Safe, Secure and Resilient Systems, Policy; Doctrine and Regulatory Issues; Awareness and Culture Change; Skills and Education; Technical Capabilities and Research; Exploitation; International Engagement; and Governance Roles and Responsibilities. I for one am looking forward to participating in working groups examining the skills and education situation in this country.
At the very minimum, each and every professional should have read the document by now and considered how well their own organisations are managing these areas. After all this is an opportunity to highlight them with management as well. But more than this it’s an opportunity to really influence a Secure Digital Britain. What are you doing?
John Colley
Managing director for EMEA of (ISC)2
(ISC)2 is a non-profit consortium that represents more than 3,000 information security professional members in the UK and 66,000 globally.
