CAST

Don’t Be ‘Forever’ Vulnerable: Improve Your AppSec Posture

by

Fashion retailer Forever 21 joined a very trendy, yet unexclusive club earlier this month when it announced its point-of-sales systems may have been breached, exposing the credit-card information of its customers. It may also have joined an equally unexclusive group of members within that club – those with breaches caused by application security issues, which companies could have found with automated code review.

As reported to Forever 21 by a third-party monitor, the breach reportedly took place between March and early November of this year. Ironically, the third-party monitor indicated that hackers accessed Forever 21’s databases through its point-of-sales systems in locations where the encryption and tokenization applications implemented in 2015 to prevent data loss were not operating properly.

One thing most security breaches have in common is that they are the result of some application quality defect that serves as a point of vulnerability. Eliminating that vulnerability should, therefore, thwart any attack that slips through the “human” layer of defense.

Nevertheless, retailers are leaving themselves very vulnerable in the rush to compete with Amazon on a customer engagement level. The most recent CAST Report on Application Software Health (CRASH) found that .NET applications developed using waterfall methods had higher average densities of security flaws, while Java applications that released to production more than six times per year had higher densities of security flaws.

The report also found that while retailers had a lower average density of security flaws for Java applications than some other industries (about three per 1,000 lines of code), their average density of security flaws in .NET applications was among the highest (about 7.5 per 1,000 lines of code). Either way, that’s still a substantial risk!

If a back end application has a half million lines of code, even using the lower of the two average densities there still are (on average) 1,500 security flaws…

1,500 vulnerabilities for hackers to exploit…

Death by 1,500 cyber papercuts!

Therefore, as retailers implement new applications to enhance customer engagement, they also may be putting those consumers at a greater risk of breach or credit card theft.

To prevent this, it is critical to perform automated code review during the implementation process to determine if any defects arise. Waiting until after implementation is too late because the applications most likely to cause security breaches are difficult to detect through standard testing. Performing automated code review as you implement applications will detect issues with application structural quality, allow you to address them before completing implementation, and prevent your company from being “forever” vulnerable. 

  This report describes the effects of different industrial factors on  structural quality. Structural quality differed across technologies with COBOL  applications generally having the lowest densities of critical weaknesses,  while JAVA-EE had the highest densities. While structural quality differed  slightly across industry segments, there was almost no effect from whether the  application was in- or outsourced, or whether it was produced on- or off-shore.  Large variations in the densities in critical weaknesses across applications  suggested the major factors in structural quality are more related to  conditions specific to each application. CRASH Report 2020: CAST Research on  the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|