Why Cybersecurity Starts with Your Code

By Justin Galloway

Every day we see or hear news about another security breach in some company, compromising thousands (or millions) of people’s personal information. But increasingly, these attacks are not limited to large companies and government entities.

Holding Your Info Hostage

Many small businesses and consumers find themselves victims of ransomware. Ransomware is a type of malicious software  that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. These payments usually come in the form of cryptocurrency such as Bitcoin. According to a March 2018 survey by security firm SentinelOne"The average estimated business cost as a result of a ransomware attack—including the ransom, work-loss, and time spent responding—is more than $900,000." 

This malicious software is usually a Trojan - a virus disguised as a legitimate file that a user may download. But as the WannaCry worm showed us in 2017, these files can be transferred from computer to computer automatically and without any human intervention.

Almost Human

One of the greatest threats to cybersecurity comes from emerging artificial intelligence (AI) that has the capability of mimicking human behavior patterns. The old ways of verifying human existence on a website has been either Captcha or Google’s reCaptcha that makes you choose elements within pictures (like choose all the pictures that contain a car). AI developed by cyber-criminals has become so advanced that it's now able to perform these tasks.

In 2013, a US-based start-up announced that it had cracked Captcha used by Google, Yahoo, PayPal and with a 90 percent accuracy. In late 2017, the researchers released a new report that their AI can now pass Google’s advanced reCaptcha 66.6% of the time. In a BBC article published late last year, Simon Edwards, a cybersecurity architect for cyber-security firm Trend Micro Europe stated, "We're not seeing attacks on Captcha at the moment, but within three or four months, whatever the researchers have developed will become mainstream, so Captcha's days are numbered."

How Developers Could be Part of the Problem

Both sides of the cybersecurity war have talented developers working against each other. But if companies (large and small) want to mount a solid defense against the growing population of cybercriminals, they need to consider a couple of things.

Hard-coding Passwords – while it may be tempting to take a shortcut, adding that account and password to your code makes it easier for cryptovirology software, AI or hackers to get in to it, as well.

Bad Encryption – Data that contains sensitive or personally identifiable information (PII) should always be encrypted when it's transmitted over your network. Data is most vulnerable at that point because it can be intercepted. Don’t try to use your own encryption either. Writing it yourself can be difficult for you but easy for the criminals to crack, so always use an industry-proven and -standard encryption library.

The implications of these poor practices recently were revealed in a recent article in the Daily Beast, when the FBI solved one the largest cybercrimes in U.S. history. Between 2010 and 2014, a 28-year-old Arkansas man named Kyle Milliken, and other acquaintances, stole email addresses and account passwords to feed a lucrative spam operation, affecting 168 million users of some of the internet’s most popular websites.

Milliken’s largest breaches included Imgur, Kickstarter, and the message board platform Disqus. "He started by looking at Disqus developers with accounts on the code repository site Github, running them one by one through his database collection. He scored a hit on one of the company’s programmers, logged into the man’s Github account, and downloaded Disqus’ code," the report from Daily Beast stated. "Inside he found what he was looking for: hard-coded credentials for Disqus’ Amazon cloud, where the company’s files were stored. He logged on and downloaded a database of at least 17.5 million people, their usernames, email addresses, and hashed passwords."

Regulation May Force Change

With the European Union’s General Data Protection Regulation (GDPR) going in to effect May 25, 2018, most companies will have no choice but ensure their code, data and PII is secure. Even though this is an European Union regulation, any multi-national company, even those based in the U.S., will have to comply or face penalties of up to 4% of that company’s revenue.

As of April 2018, recent polling shows that 60% of companies that do business with citizens of E.U. member nations will not be compliant by the May 25th deadline.

Remedy the Vulnerabilities

Collect dependencies and check them; identify vulnerable dependencies and remedy them. Using tools like SMART TS XL’s cross-referencing report will show you those dependencies and how they are referenced.

Finding those most troublesome of all coding bad practices, hard-coded user names and passwords, can mean hundreds of hours spent manually poring over lines of code. But instead of that approach, using advanced search features like those in SMART TS XL can make this task simple. 

Security isn't a function you can just tack on at the end of a project; the best advice is to build security standards into each stage of development. Hidden secrets in code don’t stay hidden forever; better you find them before someone with sinister motives does.

Tags: Application Development, Code Review, Legacy Applications, Cybersecurity, Security