Security Breaches

Security incidents

Poor security practices can damage our organization and many others. Our company may suffer direct losses from fraud or extortion. That damage is multiplied by the cost of remediation, customer compensation, regulatory fines, and lost reputation. Individuals will lose their jobs, up to and including the CEO $^{1}$. In 2017, the “WannaCry” ransomware affected more than 70 countries. It hit office computers, subway displays, and hospitals. The UK’s National Health Service got hit particularly hard, causing X-ray sessions to be canceled, stroke centers to close, and surgeries to be postponed. It put lives at risk $^{2}$.

In an epic game of one-upmanship, Equifax revealed in 2017 that 145.5 million US consumers’ identities had been stolen $^{3}$. And Yahoo! upped the ante in the same year when they announced that 3 billion Yahoo! accounts were stolen. We may have to discover alien life to get another order of magnitude increase.

System breaches

System breaches aren’t always about extracting data. Sometimes they are about implanting it, as in the case of false identities or shipping documents. That kind of effort may have contributed to California’s nut theft crisis in 2013 $^{4}$.

Security must be baked in. It’s not a seasoning to sprinkle onto our system at the end. Even if our company has a dedicated security team, we aren’t off the hook. We’re still responsible to protect our customers and our company. In this chapter, we’ll look at the top ten list of application vulnerabilities, as identified by the Open Web Application Security Project (OWASP). We’ll also consider data protection and integrity so that nobody loses their valuable nuts.

The OWASP top 10

Since 2001, the OWASP Foundation has cataloged application security incidents and vulnerabilities $^{5}$. Its member organizations contribute data from real attacks, so these are real lessons rather than “what-ifs.” One way that OWASP promotes application security awareness is through its OWASP top 10 list. It represents a consensus about the most critical web application security flaws, updated every three or four years. OWASP plans to release an updated and revised list in 2017. There’s still considerable debate, so the list here (based on “Release Candidate 1”) may not be the one that gets adopted. For that matter, it might actually turn out to be the 2018 update. It just goes to show that we can never stop worrying about security.

This section will briefly discuss the top 10 list, but check out the whole document if you want to know more. Be warned, though: you may not want to put anything on the internet ever again!

Injection

Injection is an attack on a parser or interpreter that relies on user-supplied input. The classic example is SQL injection, where ordinary user input is crafted to turn one SQL statement into more than one. This is the “Little Bobby Tables” attack $^{6}$. In that classic XKCD strip, a school administrator asks if the character’s son is really named Robert’); DROP TABLE Students;- -. While an odd moniker, Bobby Tables illustrates a typical SQL injection attack. If the application concatenates strings to make its query, then the database will see an early sequence of '); to terminate whatever query the application really meant to do. The next thing is the destructive DROP TABLE statement that does the dirty deed. The double-hyphen at the end indicates a comment so the database will ignore the remainder of the input (whatever was left over from the original query).

There’s no excuse for SQL injections in this day and age. It happens when code bashes strings together to make queries. But every SQL library allows the use of placeholders in query strings. Don’t do this: