Where the vulnerabilities lie may not be as important if network architects are security- minded when designing their websites. Thinking about security, then, must extend beyond the components of the enterprise website and extend out to testing third-party code.
In a blog earlier this year, The Media Trust wrote, "Considering more than 78% of the code executing on enterprise websites is from third-parties, IT/website operations departments cannot truly control what renders on a visitor’s browser. This inability to identify and authorize vendor activity exposes the enterprise to a host of issues affecting security, data privacy and overall website performance. And, your website isn’t immune."
While it's easy to look at that larger percentage and agree with these findings, Michael Borohovski, co-founder of Tinfoil Security said, "The vast majority of time, companies are getting exploited with the code they wrote. Big companies write a lot more custom code than small companies, but if you do have some combination of first and third, it’s more likely that you will be hacked on firstparty."
While there are undeniably breaches that have occurred because of vulnerabilities in third-party code, more often than not, Borohovski said, "You have outdated software. You didn’t update for six months."
As it was in the Great Depression, so it is with security
President Franklin Roosevelt's sage words in his first inaugural address, "The only thing we have to fear is fear itself," apply also to today's digital enterprise and cyber security. Borohovski said a lot of companies struggle with network security, web app security, and third party/open source security.
"For each of these, you want to develop a culture of security," said Borohovski, "which doesn’t mean a culture of fear or lack of innovation. You innovate more rapidly because you are trying to write more bulletproof tools. If you don’t have your developers thinking about security, anything they write can be used by an attacker."
Eliminating that fear, said Borohovski, is one step toward prevention. "There is this idea that security is difficult. For attacks led by state sponsored actors, that is true. For vast majority, though, it’s not true. A lot of attacks can be prevented by any developer with the right tools and training," he continued.
Whether they are using software that they wrote or didn’t write, digital enterprises run the risk of having vulnerabilities. "When the open SSL vulnerabilities happened, like Heartbleed, it affected almost the entire internet. That was 3rd party software that no individual at any company wrote. It hadn’t gone through any rigorous security testing," said Borohovski.
In that example, the belief that many eyes is better was not true. "Had they gone through some basic security testing," said Borohovski, that might have been avoided.
Sign up for Computerworld eNewsletters.