Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/25/2020
02:00 PM
Shahar Sperling
Shahar Sperling
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Do DevOps Teams Need a Company Attorney on Speed Dial?

In today's regulatory and legislative environment, companies and individuals are exposed to lawsuits over security breaches, resulting in significant fines and ending careers.

To err is human, and developers writing code err as often as any other humans. The industry average for programmers, in fact, is as many as 70 errors per 1,000 lines of code. Testing looks for errors and tries to catch as many as possible before a product goes to market.

Before releasing their applications, companies will test functionality, as errors in functionality could result in customer dissatisfaction and be embarrassing for the company. This could have a negative effect on sales and the organization's market position.

However, testing needs to be done on security issues as well. While releasing a functionally poor application could be embarrassing and bad for sales, releasing a vulnerable application can have far greater consequences. In today's regulatory and legislative environment, companies, as well as individuals, are exposed to lawsuits over security breaches, resulting not only in significant fines but the end of careers.

It seems that almost every data breach becomes fodder for legal action. In one of the biggest cases in recent years, international hotel chain Marriott faces numerous class-action lawsuits (some are still pendingover a data breach in which information from some 500 million guest records ended up in the hands of hackers. Investigators determined that the 2018 leak was likely due to a remote access Trojan ending up on the server that held the records, which allowed hackers to take control of admin accounts.

The trouble began when Marriott acquired hotel chain Starwood and continued using its reservation system. Between the chaos of trying to get a handle on the Starwood data and the continued use of an old, malware-laden system — and the elimination of the jobs of many of the Starwood IT staff — Marriott was charged with negligence in securing its data, leading to the wave of lawsuits. It's estimated that the breach, including settlements, legal fees, etc., has cost the company around $30 million in direct costs, in addition to a fine of £99 million imposed by the European Union under GDPR statutes. And that doesn't include the potential lost revenue due to customers shying away from a chain where customer data has been compromised by hackers multiple times.

The Marriott case is one of many. In another recent example, franchisees who own Snap Fitness outlets are suing the mother company for requiring them to purchase club management software, which turned out to be flawed, subjecting them to ransomware attacks. Because of the bad code that they were forced to utilize, "the franchisees lost all their data and the ability to operate their clubs for 13 days, causing all Snap Fitness franchisees to suffer significant losses of revenues, profits, and club members."

Lawsuits aren't confined to dissatisfied tech partners. In a twist, company shareholders are suing support firm Zendesk for what they allege is an attempt to cover up a 2016 security breach. News of that breach only came out in October 2019, and it followed a poor showing in second-quarter financial results for the company. By failing to disclose the breach, investors who bought shares in the firm between 2016 and the revelation of the breach were in essence defrauded, the lawsuit contends, because the revelation of the breach is likely to drive down the price of their shares. Zendesk officials took advantage of the cover-up, the plaintiffs say, to "cash in, selling approximately 409,000 of their personally held Zendesk shares, reaping more than $32.7 million in proceeds."

The lawsuit was filed recently, but it's likely to discuss not just the fraud aspects of the allegation, but the nature of the breach — which, as Zendesk is a software firm, may include security holes in its software.

Face it, mistakes are going to happen — and in the DevOps environment, it's crucial to find those mistakes as early in the development cycle as possible.  

However, many of the mistakes that teams are looking for are the ones that affect program functionality. Searching for mistakes that could lead to breaches and hacker attacks, while even more crucial, often does not get the same priority. A button that does the wrong thing may get complaints from customers, along with a good dose of embarrassment on social media, but it's unlikely to land the company in a courtroom facing tens of millions of dollars in liability. A security vulnerability that goes undetected, on the other hand, could.

When DevOps teams are reviewing the pipeline, they may want to invite someone from the legal department in to the discussion, just to make sure everyone knows what's at stake. There is no time like the present to evaluate your DevSecOps, to make sure every effort has been made to find any issues. That's the differentiator between a negligence suit and no suit at all, and between a bankrupting-sized fine to a slap on the wrist.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Shahar Sperling is the Chief Architect at HCL AppScan. He has had 23 years of experience in professional software development, spending the last 13 years with the AppScan team, developing various products and technologies. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5292
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
CVE-2020-7009
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2019-13495
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
CVE-2020-5291
PUBLISHED: 2020-03-31
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...
CVE-2019-14905
PUBLISHED: 2020-03-31
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...