Protecting Against Third-Party Code Exploits
By Samuel Greengard
Hardly a day goes by without news of another high-profile security breach. In December, Internet content provider Yahoo! found itself squarely in the crosshairs. A hacker based in Egypt breached the company's servers via a third-party application residing at the Yahoo! Website.
The hacker claimed to have a complete backup of one of Yahoo!'s domains, which could result in full access to the company's server for that domain. He also claimed to have full access to 12 Yahoo! databases and said he had discovered a major cross-site scripting (XSS) vulnerability.
Now, a month later, Internet security firm Imperva has pored over the details of the attack and examined what went wrong. Its January Hacker Intelligence Report "Lessons Learned From the Yahoo! Hack," examines how SQL injection vulnerabilities in third-party code present an ongoing danger to cloud computing security.
"From a business perspective, this attack underscores the security problem posed by hosting third-party code, as is often done with cloud-based services," points out Tal Beery, security researcher at Imperva. The use of third-party code and APIs that fall outside the scope of a site's developers is on the rise, and most sites now contain some form of external applications.
Unfortunately, "the situation left Yahoo! with full responsibility for securing the application on one hand, and a very limited capability to actually control the code on the other hand," Beery notes.
The upshot? Businesses must take greater responsibility for knowing what's on their sites and securing third-party code. In fact, "Executives should always assume third-party code—coming from partners, vendors, mergers and acquisitions—contains serious vulnerabilities," he says.
The report offers a number of specific steps organizations can take to better protect their sites and systems from rogue code. Among these:
· Include specific legal requirements within a contract that specify what your organization will and will not accept in terms of security methods and protections.
· Incorporate security due diligence in any merger or acquisition activity.
· Require coding standards and security requirements in every specification between your organization and the third party.
· Demand metric reports for the vendor's code to ensure that security protections are repeatable and verifiable.
· Insist that all security requirements are met prior to the code going live in your organization's IT and business environments.
· Require a comprehensive review of potential vulnerabilities resulting from new external services that operate in conjunction with current services.
· Stipulate that all vendors must provide code to produce a report specifying specific security issues and measures taken to address every task and deliverable.
The report also notes the importance of deploying a Web application firewall (WAF), which can serve as a security policy enforcement tool. It can block exploits and malware directed at vulnerable Web applications.
Finally, there's a need to harden system configurations by disabling irrelevant components that could aid a potential attacker. This includes switching off detailed error messages, restricting file and directory permissions, and deleting source code leftovers.