Cybersecurity has been one of the biggest concerns of 2017. The recent Equifax breach where hackers broke into access personal data for 143 million customers is the latest in the series of security breaches to hit unsuspecting users this year.
The Equifax Data Breach
Equifax is one of the three main consumer credit reporting agencies – this means hackers were privy to information like social security numbers, birth dates, addresses and drivers’ license numbers. The breach was possible owing to a flaw in their tool designed to develop web applications. Large organizations and government bodies used their tool – Apache Struts. Equifax used the tool to support its online dispute portal – where customers could log reports with their credit reports.
Hackers exploited the web application vulnerability (Apache Struts CVE-2017-5638) that was patched more than two months ago. Unfortunately, this breach was easily avoidable if Equifax had taken timely action. This major lapse in responsibility led to what is considered the largest data breaches in history. Attackers entered the system in mid-May 2017, although the patch was available by March 2017. While this raises many questions about the cybersecurity posture of larger organizations, it has many important lessons to learn.
Data breaches and security threats like Equifax’s occur because organizations overlook secure software development practices. Prevention is better than cure. It is easier, safer and more cost-effective to add the necessary controls early in the software development lifecycle(SDLC). Be it architecture risk analysis or threat modeling, there are many ways to achieve this. Security issues are preventable if the right architecture controls are applied at the right places and at the right time.
It is true that patching software at some of the bigger organizations with many machines is extremely labor intensive. CIOs need to identify the vulnerability, then apply and test the patch, and also conduct regression testing to ensure it doesn’t break anything else before making it public. The difficulty in patching, however, is no excuse for data stewards and larger organizations to move so slowly and expose themselves and their users to such a risk.
Key measures to avoid events like Equifax Data Breach
- Architecture and design: Application architects can enforce stronger controls to protect customer data such that a single software vulnerability doesn’t cause such a large-scale breach. This can be done by using strong and centralized authorization checks and using input validation frameworks etc.
- Implementation: Developers can implement the application so that it performs the necessary checks at all the check-points.
- Code reviews and static analysis: Static and dynamic analysis tools are used to find web app vulnerabilities. Moreover, you can also look for issues using manual code reviews – including implementation bugs introduced via development.
- Verification: Security testing tools and manual testing can also detect vulnerabilities in the test environment. Delivering better quality software is largely dependent on testing methods and tools especially in the age of testing automation.
- Continuous testing: Testing throughout the lifecycle of the application is now essential to mitigate threats. If companies are not equipped to handle security testing, it is also worth investing in dedicated software that fulfills the job for you. Security testing measures like authentication, authorization, encryption, and data validation can help.
The true cost of a data breach
The cost of a data breach is too expensive and not just financially. Loss of trust and reputational damage takes a long time to remedy. There is no simple solution to the potential cybersecurity threats looming large, but a layered security approach is required.
Performance, functional, penetration and security testing should be prioritized and operations must watch applications closely to root out vulnerabilities. Tools like QMetry Test Management provide organizations with the command center to manage software quality within ALM and nip these problems in their bud.