The hits keep coming for Sony. Unfortunately for the music label and technology icon, though, its latest hits aren’t the ones that chart on Billboard, but rather the kind that cost it money and give the company a black eye in the media.
A couple weeks back I wrote about two Sony Playstation security breaches that affected more than 100 million account-holders (77 million in the first with another 26 million last week), exposing personal information to hackers.
Now, this past Tuesday, yet another Sony entity was hit; this time it was a BMG music site in Japan. Hackers used a SQL Injection attack to gain access to Sony’s database of user information. This was the same type of attack used recently to expose info held by Sony Ericsson.
Taking credit for the latest attack on Sony was a group that calls itself LulzSec. In a post about the attack, the group of hackers wrote, ““We just want to embarrass Sony some more. Can this be hack number eight? Seven and a half?!”
That’s a lot of vulnerabilities in just one month, yet Andy Greenberg at Forbes says the number of breaches at Sony is even higher:
“In fact, the number is closer to ten. Last week I assembled a chronology of seven incidents that have occurred in April and May, beginning with Anonymous’ attack on Sony websites. And in just the last days, Sony’s website in Greece was breached, along with the two reported SQL injection attacks against Sony BMG and Sony Ericsson.”
Where and when will it all end?
Bad Moon Rising
While it is not publicly known what caused most of the 10 breaches cited by Greenberg, the fact that we know the last couple attacks were of the SQL Injection variety reveals a significant fact. We know that both were the result of vulnerabilities within the database layer of the applications affected. Those vulnerabilities could have been the result of input that was not properly filtered or not typed precisely enough, allowing it to be executed unexpectedly. Regardless of the exact nature of the vulnerabilities, the causes were structural problems within the applications.
Sony isn’t alone in that respect. It seems many of the spate of security breaches that have made the news in recent months began with some point of vulnerability – a structural issue – within the software code. Some of these vulnerabilities exist in newly created code while others extend from existing code on top of which newer applications are built.
While companies should be doing more during the build process to locate areas of potential risk, most do little or nothing. And when you consider that only 0.025% of the lines of code in an average enterprise application contain vulnerabilities, it might make sense that companies would not spend the time or money to find those issues. But the average business application contains over 400,000 lines of code; that minute fraction actually adds up to roughly ONE HUNDRED points of infiltration for potential hackers!
If points of vulnerability within the structure are not addressed during the build process, even the best security system will only tell you when someone or something has breached your structure; it won’t keep them out. In order to locate the potential risks within the software, it needs to be assessed before the application is deployed.
Automated analysis and measurement provides the means to see the whole application and go beyond one developer’s view of things like input validation, which provides an easy entry for a hacker, or any business transaction that might fail on its own. Furthermore, it provides management the means to track, incentivize and ensure that security, stability and efficiency traps are not introduced either inadvertently or maliciously into the enterprise software. In this way, if you can see the potential threat, you can eliminate it before it becomes a future security problem.
To truly get into rhythm and find harmony, a company should assess the structural quality of the application software before it is deployed to find and then fix potential breach points. Sony, in particular, needs to go back and perform static analysis of its application software if it hopes to change its tune to Bruce Springsteen’s “Better Days.” If they do not, they very likely will continue to see a “Bad Moon Rising” and wind up reprising Britney Spears’ “Oops, I did it Again.”
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.