Sony: 'Oops!...I did it Again!'

by

The hits keep coming for Sony. Unfortunately for the music label and technology icon, though, its latest hits aren’t the ones that chart on Billboard, but rather the kind that cost it money and give the company a black eye in the media.

A couple weeks back I wrote about two Sony Playstation security breaches that affected more than 100 million account-holders (77 million in the first with another 26 million last week), exposing personal information to hackers.

Now, this past Tuesday, yet another Sony entity was hit; this time it was a BMG music site in Japan. Hackers used a SQL Injection attack to gain access to Sony’s database of user information. This was the same type of attack used recently to expose info held by Sony Ericsson.

Taking credit for the latest attack on Sony was a group that calls itself LulzSec. In a post about the attack, the group of hackers wrote, ““We just want to embarrass Sony some more. Can this be hack number eight? Seven and a half?!”

That’s a lot of vulnerabilities in just one month, yet Andy Greenberg at Forbes says the number of breaches at Sony is even higher:

“In fact, the number is closer to ten. Last week I assembled a chronology of seven incidents that have occurred in April and May, beginning with Anonymous’ attack on Sony websites. And in just the last days, Sony’s website in Greece was breached, along with the two reported SQL injection attacks against Sony BMG and Sony Ericsson.”

Where and when will it all end?

Bad Moon Rising

While it is not publicly known what caused most of the 10 breaches cited by Greenberg, the fact that we know the last couple attacks were of the SQL Injection variety reveals a significant fact. We know that both were the result of vulnerabilities within the database layer of the applications affected. Those vulnerabilities could have been the result of input that was not properly filtered or not typed precisely enough, allowing it to be executed unexpectedly. Regardless of the exact nature of the vulnerabilities, the causes were structural problems within the applications.

Sony isn’t alone in that respect. It seems many of the spate of security breaches that have made the news in recent months began with some point of vulnerability – a structural issue – within the software code. Some of these vulnerabilities exist in newly created code while others extend from existing code on top of which newer applications are built.

While companies should be doing more during the build process to locate areas of potential risk, most do little or nothing. And when you consider that only 0.025% of the lines of code in an average enterprise application contain vulnerabilities, it might make sense that companies would not spend the time or money to find those issues. But the average business application contains over 400,000 lines of code; that minute fraction actually adds up to roughly ONE HUNDRED points of infiltration for potential hackers!

Better Days

If points of vulnerability within the structure are not addressed during the build process, even the best security system will only tell you when someone or something has breached your structure; it won’t keep them out. In order to locate the potential risks within the software, it needs to be assessed before the application is deployed.

bruce springsteen Automated analysis and measurement provides the means to see the whole application and go beyond one developer’s view of things like input validation, which provides an easy entry for a hacker, or any business transaction that might fail on its own. Furthermore, it provides management the means to track, incentivize and ensure that security, stability and efficiency traps are not introduced either inadvertently or maliciously into the enterprise software. In this way, if you can see the potential threat, you can eliminate it before it becomes a future security problem.

To truly get into rhythm and find harmony, a company should assess the structural quality of the application software before it is deployed to find and then fix potential breach points. Sony, in particular, needs to go back and perform static analysis of its application software if it hopes to change its tune to Bruce Springsteen’s “Better Days.” If they do not, they very likely will continue to see a “Bad Moon Rising” and wind up reprising Britney Spears’ “Oops, I did it Again.”

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|