Category

Cybersecurity

Category

Best Practices for Secure Open-Source/Proprietary Software Development

Introduction

As developers, it is crucial to prioritize security in our software development process. Vulnerabilities in open-source software can have far-reaching consequences, impacting users and systems worldwide. This enhanced security advisory aims to provide you, the developers, with important information and best practices to mitigate vulnerabilities and ensure the safety of your codebase. By following these guidelines, we can contribute to a more secure open-source and proprietary technology ecosystem.

 

1. Understanding Vulnerabilities

  • Familiarize yourself with common software vulnerabilities, such as injection attacks, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure direct object references (IDOR).
  • Injection attacks: Understand the risks associated with user input that can be executed as code and implement input validation and sanitization techniques.
  • XSS: Learn about the dangers of unvalidated user input and adopt output encoding techniques to prevent malicious script execution.
  • CSRF: Recognize the impact of forged requests and implement measures like anti-CSRF tokens to protect against this attack vector.
  • IDOR: Understand the implications of direct object references and implement access controls and authorization mechanisms to ensure data integrity.
  • Stay updated with vulnerability trends and use common vulnerability metrics like the Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE) to evaluate and prioritize the risk, impact, and severity of vulnerabilities.
  • Regularly monitor security news and vulnerability databases to stay informed about emerging threats and recent exploits.
  • Utilize CVSS and CWE to assess vulnerabilities, determine their severity, and prioritize remediation efforts based on their potential impact on your software.

 

2. Secure Coding Principles

  • Apply secure coding principles, including input validation, output encoding, proper authentication and authorization mechanisms, secure session management, and secure error handling.
  • Validate and sanitize user input to prevent injection attacks and ensure the integrity of your data.
  • Employ output encoding techniques to mitigate the risk of XSS vulnerabilities and protect users from malicious content.
  • Implement strong authentication and authorization mechanisms to enforce access controls and prevent unauthorized actions.
  • Maintain secure session management practices, such as session expiration, secure cookie handling, and protection against session fixation attacks.
  • Implement robust error handling mechanisms to prevent the exposure of sensitive information and avoid information leakage.
  • Implement secure coding practices to mitigate the risk of common vulnerabilities, such as SQL and OS command injections, XSS, and CSRF attacks.
  • Use prepared statements or parameterized queries to prevent SQL injections and ensure the safety of database interactions. Avoid constructing OS commands with user input directly and utilize safe APIs or libraries to prevent OS command injections.
  • Apply input validation and output encoding techniques to prevent XSS attacks and protect users from malicious scripts. Implement anti-CSRF measures, such as unique tokens, to validate the origin of requests and prevent cross-site request forgery.
  • Regularly review and refactor your codebase to address potential vulnerabilities and ensure adherence to secure coding standards.
  • Conduct thorough code reviews to identify potential vulnerabilities, adherence to secure coding practices, and identify areas for improvement.
  • Refactor code to eliminate security weaknesses, improve code quality, and ensure adherence to secure coding standards.
  • Establish a process for ongoing vulnerability assessment and code maintenance to identify and address security issues in a timely manner. 

 

3. Version Control and Secure Packaging

  • Utilize version control software, such as Git, to track and manage changes in your codebase effectively.
  • Leverage version control systems to track changes, collaborate with team members, and maintain a history of code modifications.
  • Use branching and merging strategies to manage concurrent development and ensure code stability.
  • Follow secure versioning schemes to ensure the accurate identification and tracking of vulnerabilities, patches, and updates.
  • Adopt a clear and consistent versioning scheme that allows easy identification of security patches, bug fixes, and new releases.
  • Communicate versioning changes effectively to users and maintain a changelog that highlights security-related updates.
  • Maintain a robust packaging ecosystem, leveraging tools like npm, Maven, PyPI, and nuget, and keep your dependencies up to date to avoid known vulnerabilities in third-party libraries.
  • Regularly update dependencies to incorporate security patches and bug fixes provided by the library maintainers.
  • Monitor vulnerability databases and security advisories related to your dependencies and act promptly to mitigate any identified vulnerabilities.
  • Consider using dependency management tools to automate the process of keeping dependencies up to date and ensuring the use of secure versions.

 

4. Vulnerability Analysis and Documentation

  •  Contribute to the curation of a comprehensive security advisory database by analyzing, verifying, and documenting vulnerability reports.
  • Collaborate with the Security Lab to analyze and verify vulnerability reports, ensuring their accuracy and reliability.
  • Document the details of vulnerabilities, including their impact, affected products or versions, and potential mitigation strategies.
  • Ensure the completeness, correctness, and consistency of the advisory data within the existing security database.
  • Perform thorough quality checks on the advisory data, ensuring all necessary information is included and accurately documented.
  • Maintain consistency in the format and structure of the security advisories to facilitate easy consumption by developers and security professionals.
  • Curate and publish security advisories, including detailed descriptions, affected product data, severity assessments, and recommended mitigation strategies using our curation tooling.
  • Use the curation tooling provided to publish comprehensive security advisories that assist developers in understanding the vulnerabilities and taking appropriate actions.
  • Include detailed descriptions of vulnerabilities, impacted products or versions, severity assessments, and practical steps to remediate the vulnerabilities.

 

5. Community Engagement and Knowledge Sharing

  •  Engage and collaborate with online communities dedicated to open-source security and development.
  • Participate in forums, discussion groups, and mailing lists focused on open-source security to share knowledge, ask questions, and learn from others.
  • Contribute to open-source projects by reporting vulnerabilities, submitting patches, and engaging in constructive discussions with the community.
  • Foster a culture of knowledge sharing and collaboration by actively participating in discussions, forums, and open-source projects related to security and vulnerability management.
  • Share your expertise and experiences with the community, contributing to the collective knowledge and improving the security practices within the open-source ecosystem.
  • Encourage and support other developers in adopting secure coding practices and understanding the importance of vulnerability management.
  • Contribute to the growth and improvement of the open-source ecosystem by sharing your expertise, experiences, and best practices.
  • Write technical articles, blog posts, or documentation to educate developers on secure coding practices, vulnerability management, and open-source security.
  • Conduct workshops or webinars to disseminate knowledge and promote secure development practices within the open-source community.

 

6. Emerging Trends

As targeted attacks at code and private data continue to more sophisticated, adopting these developer best practices is crucial for ensuring the security and reliability of software systems. By implementing the following key points, developers can significantly enhance the overall development process and mitigate potential risks:

  • Peer Review: Encouraging peer code reviews helps identify coding flaws, logic errors, and potential vulnerabilities early in the development lifecycle. Collaborative feedback and knowledge sharing among team members lead to improved code quality and security.
  • CI/CD Pipeline: Implementing a robust Continuous Integration and Continuous Deployment (CI/CD) pipeline enables automated testing, builds, and deployment. It ensures that code changes are thoroughly tested and reviewed before being deployed, reducing the likelihood of introducing vulnerabilities or breaking the system.
  • Separation of Duties: Enforcing separation of duties ensures that different individuals or teams are responsible for specific stages of the development and deployment process. This helps prevent unauthorized access, limits the potential for insider threats, and improves accountability within the development team.
  • Data Protection and Backup: Implementing regular backups, disaster recovery plans, and data protection measures safeguards against data loss, system failures, and potential security breaches. It is essential to have reliable backup mechanisms and recovery procedures in place to quickly restore systems and minimize downtime.
  • Cybersecurity: Prioritizing cybersecurity throughout the development lifecycle helps safeguard against external threats and potential vulnerabilities. This includes implementing secure coding practices, staying updated with the latest security patches, conducting regular security assessments, and maintaining awareness of emerging threats and best practices.

Conclusion

By integrating these best practices into their development workflows, developers can enhance the security, reliability, and maintainability of their software systems, ultimately providing better experiences for end-users and reducing the risk of security incidents.

 As developers, we hold the responsibility to build secure and resilient software. By adhering to the best practices outlined in this enhanced security advisory, you can contribute to the creation of a safer development environment. Remember, your commitment to secure coding principles, vulnerability analysis, and active community engagement will help protect users and systems from potential threats.  Let’s work together to ensure the integrity and security of open-source software development.

At first glance, February appears to be a big improvement cyber security-wise compared to the start of the year. The 632,595,960 breached records accounts for about a third of January’s total, and is considerably lower than the figures for this time last year.

Unfortunately, the number of breached records doesn’t tell the full story, as there were a whopping 105 incidents – making February 2020 the second leakiest month we’ve ever recorded.

You can find detailed breakdowns of some of the more notable incidents by subscribing to our Round-ups or by visiting our cheatsheet page where we have a dedicated variety of handy cybersecurity cheatsheets.

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

The new decade has begun relatively well, with a six-month low of only 61 disclosed cybersecurity incidents.

By comparison, 2019 saw an average of almost 80 data breaches and cyber attacks per month.

It’s not all good news, though. Several major incidents occurred in January, boosting the total number of breached records to a substantial 1,505,372,820.

That includes several worrying incidents involving UK organizations – which are highlighted in bold.

You can find detailed breakdowns of some of the more notable incidents by subscribing to our Round-ups or by visiting our cheatsheet page where we have a dedicated variety of handy cybersecurity cheatsheets.

In the meantime, you can check out the full list here:

Cyber attacks

Ransomware

Data breaches

 

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

Throughout the year 2019, we kept an eye on cyber attack and data breach reported in mainstream publications, releasing our findings in our monthly blog series. 

This allowed us to see how many security incidents were occurring, how many records were involved and which industries were worst affected. 

Did you know, for example, that July was the worst month of the year in terms of breached records? Or that the leading cause of data breaches was internal error? 

With 2019 in the books, we’ve summarised these and other facts in infographics below

Source: IT Governance

 

November 2019 was a big month for data breaches, with a confirmed 1,341,147,383 records being exposed in 87 incidents.

However, almost all of those came from one leaked database, the origin of which is unclear as at the time of this writing.

Here is a full list of data breaches in November, showing the 1.34 billion records breached

Cyber Attacks

Ransomware

Data Breaches

Financial Information

Malicious insiders and miscellaneous incidents

Source: IT Governance

The CVE or Common Vulnerabilities and Exposures, a platform aimed at sharing details about  Zero-day and disclosed vulnerabilities.

Webopedia also defines CVE as a dictionary-type list of standardized names for vulnerabilities and other information related to security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.

Useful tips about CVE:

  • It is run by the MITRE Corporation, a non-profit organization. (attack.mitre.org)
  • The CVE aims to share vulnerability information easily and provide a standard for naming them.
  • The CVE IDs are in the format ‘CVE-YYYY-NNNNN’, where YYYY stands for the year the vulnerability was made public or the CVE ID was assigned.
  • It also provides the Common Vulnerability Scoring System (CVSS) that defines the severity of a disclosed security flaw. The CVSS score ranges from 0.0 to 10.0; a higher score indicates a higher severity level.
  • The common vulnerabilities and exposures (CVE) program has been around for quite some time now, helping organizations improve their cybersecurity posture by providing a wealth of knowledge about vulnerabilities and exposures.
  • It creates a standardized identifier for every vulnerability or exposure disclosed, so they can be accessed easily across multiple sources.

In this article, we’ll explore the basics of CVE. But before that let’s quickly recap what vulnerabilities and exposures are.

Vulnerability

Vulnerability is a security flaw that may be exploited to perform cyber attacks. Criminals use a number of ways including SQL injection, cross-site scripting, and buffer overflows to look for vulnerabilities to exploit.

Many organizations invest in specialized teams that test for vulnerabilities and provide security patches. The causes of vulnerability include weak passwords, operating system flaws, unintentional development bugs, and unchecked user input, among others.

Exposure

Exposures are unintentional issues or errors that allow unauthorized access to a network or system.

Some of the massive data breaches are the result of exposures. A recent example of this is a record showing data breaches and cyber attacks in October 2019  alone, where 421 million records were breached.

These attacks usually come in form of Cyber attacks, Ransomeware, Data breaches, Financial information or PII data leaks,  malicious insiders and miscellaneous incidents

CVE: Weighing the benefits and risks

CVEs are publicly available and may be exploited by malicious actors to launch cyberattacks. However, the benefits overshadow this risk.

  • CVE only lists publicly disclosed vulnerabilities and exposures. This allows individuals and organizations to be aware of the security flaws and available patches.
  • While organizations need to take care of several vulnerabilities to ensure security, a hacker needs to find just one flaw to exploit. This reinforces the importance of sharing details about vulnerabilities and exposures.

This article provides an elemental outline of CVE. For more details, you can refer to the official CVE website.

Thanks to a whopping data breach from an unknown server exposing 419 million data records, our monthly total comes to 531,596,111 breached records.

This brings the total amount of breached records for the year so far to 10,331,579,614.

September may have had fewer incidents than August at only 75, but overall there was a massive 363% increase on records breached.

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

At first glance, August has been a quiet month for data breaches, with a total of 114,686,290 breached records. That’s about 10 percent of the monthly average coming into the month.

But that figure comes from 95 incidents in total, which is the highest number of breaches we’ve had all year.

Let’s take a look at those breaches in full in our slightly tweaked monthly list. After a reader suggestion last month, we’re also listing the UK-specific incidents in bold. Let us know if you like that change or if you have any other suggestions for future months.

Cyber attacks

 

Ransomware

Data breaches

 

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

Remember after last month’s relatively serene cyber security scene we said this wasn’t the beginning of the GDPRevolution?

July was bound to be a bounce-back month, but we couldn’t have expected the frighteningly high total of 2,359,114,047 breached records.

Granted, a big chunk of those come from a single incident – a mammoth breach involving a Chinese smart tech supplier – but as unimaginative football commentators say, ‘they all count’.

Let’s take a look at the full list:

Cyber attacks


Ransomware


Data breaches

Financial information

Malicious insiders and miscellaneous incidents

Source: IT Governance

Capital One Financial Corp. announced late Monday that more than 100 million people had their personal information hacked.

The hacker got information including credit scores and balances, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers, the bank said. It will offer free credit-monitoring services to those affected. The hack affected about 100 million people in the U.S. and 6 million in Canada.

Capital One couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers. Over that time, it sought help from law enforcement.

The hacker also stole the names, addresses, phone numbers, dates of birth, credit scores and other financial data, Capital One COF, -1.18%   said. The company couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers; it sought help from law enforcement to catch the alleged perpetrator.

Two years after Equifax EFX, +0.27%  revealed that hackers accessed the personal information of up to 147 million people, the credit bureau recently announced a settlement for up to $700 million, including $425 million in relief for those who have been affected, although there are some key requirementspeople should be aware of before they file a claim.

Last year, Facebook FB, -1.91%  announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data. Facebook Chief Executive Mark Zuckerberg testified before Congress and vowed to do more to fix the problem, and help make sure that nothing like that happens again. Cambridge Analytica closed down in the wake of the scandal. Earlier this month, the Federal Trade Commission fined Facebook $5 billion.

Don’t miss: A worrying theory after Equifax and Facebook settlements — aggregated data is NOT enough to protect your privacy

WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and AppleAAPL, +0.93%  iPhones. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” it said at the time.

More than 57 million customers of Uber UBER, -1.44%  had their data exposed by a massive hack in October 2016. Uber fired its chief security officer, Joe Sullivan, and one of his deputies for concealing the hack, which included the email addresses of 50 million Uber riders around the world. The revelation was made a year after the attack. It also affected 7 million drivers.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One email address.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address. Consumers need to be careful whenever they are contacted by an unsolicited caller. Hang up and call the number on your card. “Phishing” scams — calls, emails or text messages that appear to offer protection — are actually trying to get more data from customers.

Security experts generally recommend never re-using security passwords and say people should use two-factor authentication on their phones, which requires a user to put a code sent to a phone or email into an app or website in order to log in from a new device or to change a password. They also say those affected by such hacks should freeze their credit report.

Don’t be pawned off by an offer of credit monitoring. Credit monitoring only looks for changes on a credit report, indicating that someone is using your personal information to open new accounts in your name. Here’s the bad news: Such security precautions would not help people protect against a data breach like the one Capital One announced Monday evening. Exposure of data that can’t be changed, such as Social Security numbers, are the hallmarks of particularly severe data breaches.

Here’s what else you should do now:

1. Check if your accounts have been affected

There still aren’t many formal ways to check if your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to. Some states, like California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations. Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible.

2. Know the difference between a credit freeze and a lock

A freeze means that a consumer cannot take out a new loan or credit card without “unfreezing” the report first, but also prevents a hacker from taking out a loan in your name. Credit agencies also offer a service called credit “locking,” which offers the same protections as a freeze, but typically cost a monthly fee. Contact Equifax, Experian EXPN, +1.53%  and TransUnion TRU, -1.34%  to request a freeze.

3. Sign up for additional fraud protection

Those affected should sign up for services that go beyond typical credit freezing and alert services, such as LifelockEZ Shield and Identity Guard. The most basic version of Lifelock costs $9.99 per month and provides benefits including address change verification, help canceling or replacing lost credit cards, driver’s licenses, Social Security cards and insurance cards, plus a “restoration team” that helps correct any identity-theft issues and black-market website surveillance.

4. Know the difference between a hack and a breach

A breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence. A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom; that’s what happened with Capital One. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen.

Source: Market Watch