Vulnerability Creep

“Why can’t we do (xyz) for this project – just this once.  I know it does not follow our security rules but everything else is so locked down it should be fine”.  Seems like I have this conversation a number of times in every project.  “Just this once… we are behind schedule…  please?”

Seems safe enough.  The team wants to download some open source components to speed up the project.  It’s only an informational site, so how risky can that be?  We use (top name brand) firewalls and just had a penetration test done by a well known company.  Plus all the real processing and information is in different security zones in the production cloud.  That means they are protected, and we don’t need to worry about the front end servers, right?

It is rather difficult to have complete knowledge of the environment we are working on these days.  We think we are locked down.  But a bad guy only needs to find one entry vector, out of potentially thousands of things we need to do right.

So the component is downloaded and it goes into production.  The project is a big success.  It’s used as a company example of how to do things fast.  But.. 6 months later the database administrator notices unusual activity in your member database.   Oops.

Another case of vulnerability creep.  How did this happen?

Suppose your downloaded component has a small bug that allows malware to be installed on your informational site – giving a bad guy root access to that server.  Perhaps from that server he has limited access to a cloud of application and database servers.   And perhaps the admin passwords for those servers are all the same, so he systematically guesses a password only once for each server, say once per month so as not to set off any alerts.  If there are 100 servers, that’s 100 attempts.  Per month.   So the password eventually falls.

In addition, the database connection strings are in clear text on your informational server.  What, clear text?  Tthat was required by one of the third party components.  Oops.  Totally forgot about that one.  So the bad guy only needs access to the informational server in order to get to your member database.

Other controls could be in play here as well.  Such as how does the bad guy get the data back out past our firewall?  Bad guys usually have this one figured out as well.   Stealth back channels over common ports do happen.

Security is everyone’s responsibility.  Let’s assume that a bad guy will penetrate our application or infrastructure at some point, and that our component needs to operate in a compromised environment.    When we ask for an exception to a security rule/policy, make sure we know what vulnerabilities we are potentially opening up.  We may need a compensating control.

Some day you will probably end up responding to a security incident.  But if you are thorough in development and implementation, maybe it won’t be with your system component.