Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/25/2020
02:00 PM
Shahar Sperling
Shahar Sperling
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Do DevOps Teams Need a Company Attorney on Speed Dial?

In today's regulatory and legislative environment, companies and individuals are exposed to lawsuits over security breaches, resulting in significant fines and ending careers.

To err is human, and developers writing code err as often as any other humans. The industry average for programmers, in fact, is as many as 70 errors per 1,000 lines of code. Testing looks for errors and tries to catch as many as possible before a product goes to market.

Before releasing their applications, companies will test functionality, as errors in functionality could result in customer dissatisfaction and be embarrassing for the company. This could have a negative effect on sales and the organization's market position.

However, testing needs to be done on security issues as well. While releasing a functionally poor application could be embarrassing and bad for sales, releasing a vulnerable application can have far greater consequences. In today's regulatory and legislative environment, companies, as well as individuals, are exposed to lawsuits over security breaches, resulting not only in significant fines but the end of careers.

It seems that almost every data breach becomes fodder for legal action. In one of the biggest cases in recent years, international hotel chain Marriott faces numerous class-action lawsuits (some are still pendingover a data breach in which information from some 500 million guest records ended up in the hands of hackers. Investigators determined that the 2018 leak was likely due to a remote access Trojan ending up on the server that held the records, which allowed hackers to take control of admin accounts.

The trouble began when Marriott acquired hotel chain Starwood and continued using its reservation system. Between the chaos of trying to get a handle on the Starwood data and the continued use of an old, malware-laden system — and the elimination of the jobs of many of the Starwood IT staff — Marriott was charged with negligence in securing its data, leading to the wave of lawsuits. It's estimated that the breach, including settlements, legal fees, etc., has cost the company around $30 million in direct costs, in addition to a fine of £99 million imposed by the European Union under GDPR statutes. And that doesn't include the potential lost revenue due to customers shying away from a chain where customer data has been compromised by hackers multiple times.

The Marriott case is one of many. In another recent example, franchisees who own Snap Fitness outlets are suing the mother company for requiring them to purchase club management software, which turned out to be flawed, subjecting them to ransomware attacks. Because of the bad code that they were forced to utilize, "the franchisees lost all their data and the ability to operate their clubs for 13 days, causing all Snap Fitness franchisees to suffer significant losses of revenues, profits, and club members."

Lawsuits aren't confined to dissatisfied tech partners. In a twist, company shareholders are suing support firm Zendesk for what they allege is an attempt to cover up a 2016 security breach. News of that breach only came out in October 2019, and it followed a poor showing in second-quarter financial results for the company. By failing to disclose the breach, investors who bought shares in the firm between 2016 and the revelation of the breach were in essence defrauded, the lawsuit contends, because the revelation of the breach is likely to drive down the price of their shares. Zendesk officials took advantage of the cover-up, the plaintiffs say, to "cash in, selling approximately 409,000 of their personally held Zendesk shares, reaping more than $32.7 million in proceeds."

The lawsuit was filed recently, but it's likely to discuss not just the fraud aspects of the allegation, but the nature of the breach — which, as Zendesk is a software firm, may include security holes in its software.

Face it, mistakes are going to happen — and in the DevOps environment, it's crucial to find those mistakes as early in the development cycle as possible.  

However, many of the mistakes that teams are looking for are the ones that affect program functionality. Searching for mistakes that could lead to breaches and hacker attacks, while even more crucial, often does not get the same priority. A button that does the wrong thing may get complaints from customers, along with a good dose of embarrassment on social media, but it's unlikely to land the company in a courtroom facing tens of millions of dollars in liability. A security vulnerability that goes undetected, on the other hand, could.

When DevOps teams are reviewing the pipeline, they may want to invite someone from the legal department in to the discussion, just to make sure everyone knows what's at stake. There is no time like the present to evaluate your DevSecOps, to make sure every effort has been made to find any issues. That's the differentiator between a negligence suit and no suit at all, and between a bankrupting-sized fine to a slap on the wrist.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Shahar Sperling is the Chief Architect at HCL AppScan. He has had 23 years of experience in professional software development, spending the last 13 years with the AppScan team, developing various products and technologies. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.