Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/25/2020
02:00 PM
Shahar Sperling
Shahar Sperling
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Do DevOps Teams Need a Company Attorney on Speed Dial?

In today's regulatory and legislative environment, companies and individuals are exposed to lawsuits over security breaches, resulting in significant fines and ending careers.

To err is human, and developers writing code err as often as any other humans. The industry average for programmers, in fact, is as many as 70 errors per 1,000 lines of code. Testing looks for errors and tries to catch as many as possible before a product goes to market.

Before releasing their applications, companies will test functionality, as errors in functionality could result in customer dissatisfaction and be embarrassing for the company. This could have a negative effect on sales and the organization's market position.

However, testing needs to be done on security issues as well. While releasing a functionally poor application could be embarrassing and bad for sales, releasing a vulnerable application can have far greater consequences. In today's regulatory and legislative environment, companies, as well as individuals, are exposed to lawsuits over security breaches, resulting not only in significant fines but the end of careers.

It seems that almost every data breach becomes fodder for legal action. In one of the biggest cases in recent years, international hotel chain Marriott faces numerous class-action lawsuits (some are still pendingover a data breach in which information from some 500 million guest records ended up in the hands of hackers. Investigators determined that the 2018 leak was likely due to a remote access Trojan ending up on the server that held the records, which allowed hackers to take control of admin accounts.

The trouble began when Marriott acquired hotel chain Starwood and continued using its reservation system. Between the chaos of trying to get a handle on the Starwood data and the continued use of an old, malware-laden system — and the elimination of the jobs of many of the Starwood IT staff — Marriott was charged with negligence in securing its data, leading to the wave of lawsuits. It's estimated that the breach, including settlements, legal fees, etc., has cost the company around $30 million in direct costs, in addition to a fine of £99 million imposed by the European Union under GDPR statutes. And that doesn't include the potential lost revenue due to customers shying away from a chain where customer data has been compromised by hackers multiple times.

The Marriott case is one of many. In another recent example, franchisees who own Snap Fitness outlets are suing the mother company for requiring them to purchase club management software, which turned out to be flawed, subjecting them to ransomware attacks. Because of the bad code that they were forced to utilize, "the franchisees lost all their data and the ability to operate their clubs for 13 days, causing all Snap Fitness franchisees to suffer significant losses of revenues, profits, and club members."

Lawsuits aren't confined to dissatisfied tech partners. In a twist, company shareholders are suing support firm Zendesk for what they allege is an attempt to cover up a 2016 security breach. News of that breach only came out in October 2019, and it followed a poor showing in second-quarter financial results for the company. By failing to disclose the breach, investors who bought shares in the firm between 2016 and the revelation of the breach were in essence defrauded, the lawsuit contends, because the revelation of the breach is likely to drive down the price of their shares. Zendesk officials took advantage of the cover-up, the plaintiffs say, to "cash in, selling approximately 409,000 of their personally held Zendesk shares, reaping more than $32.7 million in proceeds."

The lawsuit was filed recently, but it's likely to discuss not just the fraud aspects of the allegation, but the nature of the breach — which, as Zendesk is a software firm, may include security holes in its software.

Face it, mistakes are going to happen — and in the DevOps environment, it's crucial to find those mistakes as early in the development cycle as possible.  

However, many of the mistakes that teams are looking for are the ones that affect program functionality. Searching for mistakes that could lead to breaches and hacker attacks, while even more crucial, often does not get the same priority. A button that does the wrong thing may get complaints from customers, along with a good dose of embarrassment on social media, but it's unlikely to land the company in a courtroom facing tens of millions of dollars in liability. A security vulnerability that goes undetected, on the other hand, could.

When DevOps teams are reviewing the pipeline, they may want to invite someone from the legal department in to the discussion, just to make sure everyone knows what's at stake. There is no time like the present to evaluate your DevSecOps, to make sure every effort has been made to find any issues. That's the differentiator between a negligence suit and no suit at all, and between a bankrupting-sized fine to a slap on the wrist.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Shahar Sperling is the Chief Architect at HCL AppScan. He has had 23 years of experience in professional software development, spending the last 13 years with the AppScan team, developing various products and technologies. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.