Continuous testing needed to find vulnerabilities in code, says vendor

Basic security hygiene like identity and access management can solve a lot of network-related security problems. However, software vulnerabilities that come from development slips are more subtle yet have the same outcome: Data theft.

In its annual Top 10 list of application vulnerabilities of 2019, WhiteHat Security says it wants to show how even well-known products, like Google’s search page, can have bugs that could lead to intrusions.

“Even companies you think are secure, there’s always one level deeper that you can dig if you really look for them,” Bryan Becker, WhiteHat’s product manager, said in an interview.

Some of them are so obvious in hindsight, Becker said, such as the cache vulnerabilities on the list. Researchers used old techniques to find something new.

These are not the most commonly exploited application vulnerabilities, he added, but the ones discovered in 2019 that WhiteHat found most interesting.

Related:

How to help developers write secure code

 

One of the biggest lessons, he said, is that software developers and security teams have to work closely.

“Developers have challenges,” he said, “and these are shared with the security team. Developers have the challenge of writing secure code without actually knowing what that means, and the security team has the challenge of helping them know what that means and training them . . . but there are so many layers you can’t solve it in one easy fix.”

Among the vulnerabilities are:

  • Cross-site scripting (XSS) in Google Search: “It’s a vulnerability on Google, which no one expects to find,” Becker said, given the security resources the company has. This was, he admits, “a very obscure finding,” but clever. WhiteHat says the discovery of this bug highlights the importance of performing continuous testing on code staff may feel is already secure.
  • Cross-site leaks: Briefly, a vulnerability in cached information. The blog notes this is another attack that is not new but gaining momentum with HTTP caching being attacked from all fronts. While there are decent preventions against this attack, WhiteHat says, most of the internet is still prone to it. “Because cross-site leaks are used in various ways, make sure to always check for old attacks when deploying new code.”
  • DOM Clobbering Gmail: Using a well-known technique known as “DOM Clobbering” a researcher found a way to attack Gmail though a feature that makes it possible for emails to include dynamic HTML content. One solution: Include CSP headers. “At Whitehat, we still find plenty of websites that do not include CSP (content security policy) headers in code.” CSP is a small step towards building a secure environment that can net powerful returns, says the blog.
  • Poisoning a cache to initiate a denial of service. “Ensuring that caching is secure can be difficult for companies,” says the blog. Becker’s advice to security teams for improving code is to “just be friends with the developers. If you can talk to each other and share ideas. Everything else seems to flow naturally.”

The security team will give lists of the vulnerabilities it finds, Becker said. But should also say, ‘Here’s the status of your team today, here’s where we want to get to in the next six months, here’s how we’re going to help you get there.’

“Make it a team effort.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now