Yahoo Voices was subjected to a SQL injection attack leading to the exposure of 450,000+ user names and passwords. Adding insult to injury, researchers found that Yahoo was storing passwords in plain text. The attack has been discussed and covered by the news media extensively, so we will not repeat that here.
However, an incident like this calls for a closer look as to whether point-in-time security scanning or testing holds water in the current threat landscape. We have learned that what is really required is constant operational security and virtual patching abilities to deal with continuous threats from sophisticated adversaries.
Yahoo has acquired 60+ companies since its inception in 1994. Understandably, the immediate goal of an acquisition is a quick integration of the product's Web properties, demonstrating the business value of the merger. A long drawn-out security review would be detrimental to this goal, testing stakeholders' confidence. A Wall Street journal report mentions that typical security testing after an acquisition only covers a miniscule amount of the application code.
In this context, it is easy to perceive the illusory nature of one time security testing or scanning, especially when they pose a hindrance to business objectives.
Security in practice
At Barracuda, we often get the privilege of a bird's eye view of security postures across verticals. Take for example, a large Telco that wanted to achieve PCI compliance, a noble but daunting endeavour. Their application code base was riddled with the legacy of 25+ direct acquisitions and partnerships. Attempts at vulnerability scanning (DAST) to find and fix security holes proved futile. The original architects of the code were no longer with the organisation, some of the code had been developed by contractors and the tools themselves could not cover the depth and breadth of their complex Web based workflows and their dynamically generated content such as AJAX front ends on their customer portals. Business downtime to fix security issues was another non-starter.
Unsurprisingly, they hardly needed convincing when we architected a Barracuda Web Application Firewall based solution to resolve their nightmare. It was a win-win situation for all the internal stakeholders - management could focus on growth and the appsec and development teams were no longer at odds. The development team got the respite from resolving security issues at a pace that was acceptable to management. The icing on the cake was the fact that the ADC capabilities of the product integrated straight into their infrastructure and sped up the delivery of their Web portals, pleasing their network and infrastructure teams.
What should an organisation do?
What's next for an organisation when this happens? While it is important to always fix the threats at the source, operationally speaking, that takes time. As we mentioned earlier, security is a fluid process and your strategy should involve a solution with the capabilities to adapt to the latest threats and trends.
Sign up for MIS Asia eNewsletters.