Adding to the Cost of Failure

by

Woe is Sony.

Victimized by more than a dozen hack attacks earlier this year, most of them at the hands of the LulzSec group, which gained unauthorized access to more than 100 million customer data files, the gaming, media and electronics giant has faced massive lawsuits and reparation payments not to mention the embarrassment that the massive data breaches have caused them.

Now, further compounding the fallout, Zurich American Insurance Company, which insures Sony, has sought to have the courts declare it is not responsible for defending or indemnifying the company from the ocean of legal claims filed against Sony in the wake of the numerous data breaches that befell it earlier this year.

Running Tab

At last count, Sony has been hit with 55 class action lawsuits and has already projected losses in operating profits to the tune of $178 million over the rest of the year due to the data breaches. With its insurer all but trying to abandon it, Sony has to be reeling from the blows.

But before anybody jumps to Sony’s defense or sheds a tear for the company’s misery, perhaps we need to take a look at why this happened – that is, why it happened beyond the reason that a bunch of pretty intelligent hackers wanted to embarrass them.

While it is not publicly known what caused most of the breaches at the various units of Sony, we do know that the last couple of attacks were of the SQL Injection variety. This reveals a significant fact – the breaches were the result of vulnerabilities within the database layer of the affected applications. Those vulnerabilities could have been the result of latent issues in legacy applications that Sony had build on top of as it updated and upgraded its applications. They could also result from input that was not properly filtered or not typed precisely enough allowing it to be executed unexpectedly. Regardless of the exact nature of these vulnerabilities, the causes come down to one thing – structural problems within the applications.

A Penny Saved

While Sony seems to have been the hardest hit and most frequently targeted private-sector organization this year (the U.S. Government is a more frequent target), it is far from alone as the bearer of the bull’s-eye. Among the growing roster of major corporations that have been the prey of hackers this year (Sony, Sega, Citi, RSA, et. al.) each breach began with some point of vulnerability – a structural issue – within the victim’s software code. Some of these vulnerabilities exist in newly created code while others have carried over from issues in legacy code that either were dormant or not exploitable when the original code was written.

While companies should be doing more during the build process to locate areas of potential risk, most do little or nothing. And when you consider that only 0.025% of the lines of code in an average enterprise application contain vulnerabilities, it might make sense that companies would not spend the time or money to find those issues. But the average business application contains over 400,000 lines of code; that minute fraction actually adds up to roughly ONE HUNDRED points of infiltration for potential hackers – talk about leaving the back door open!

Closing the Vault

Even the best security system will only tell a company when someone or something has breached its structure; security software won’t keep out the unauthorized. In order to locate the potential risks within software, IT departments need to be more vigilant and perform thorough structural analysis of applications. By performing intensive application analysis, a company can identify points of vulnerability within the structure of its application software during the build process and know where the holes are that need plugging before an application is deployed.

Manual assessment of application software, however, is tedious, expensive and grossly inefficient. But if that analysis can be automated, the company can be afforded the ability to see the whole application much more efficiently and go beyond one developer’s view of things like input validation – which provides an easy entry for a hacker – or any business transaction that might fail on its own. Furthermore, it provides management the means to track, incentivize and ensure that security, stability and efficiency traps are not introduced either inadvertently or maliciously into its enterprise software. In other words, by gaining visibility to the potential threat, the company can eliminate it before it becomes a future security problem.

At a time in world economics when no company can afford to take on the added debt of making financial reparations to customers whose personal information has been accessed by unauthorized parties, Sony and other breach victims would do well to watch their back doors as much as they do their bottom lines.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom Writer, Blogger & PR Consultant
Jonathan is an experienced writer with over 20 years writing about the Technology industry. Jon has written more than 750 journal and magazine articles, blogs and other materials that have been published throughout the U.S. and Canada. He has expertise in a wide range of subjects within the IT industry including software development, enterprise software, mobile, database, security, BI, SaaS/Cloud, Health Care IT and Sustainable Technology. In his free time, Jon enjoys attending sporting events, cooking, studying American history and listening to Bruce Springsteen music.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|