The Department of Energy recently released a report offering further insight into a breach that occurred at the agency last year. The breach could largely be attributed to poor vulnerability management on the part of the agency, Inspector General Gregory Friedman noted. As concerns about organizations' slow and irregular patch management procedures continue, software vendors have a strong incentive to improve the overall quality of their products.
The DOE breach, which exposed the personal information of more than 100,000 past and current federal employees and contractors, occurred because hackers were able to take advantage of unpatched, vulnerable software, Friedman concluded. In some cases, patches hadn't been applied to software dating back to 2011.
"Critical security vulnerabilities in certain software supporting the MIS application had not been patched or otherwise hardened for a number of years," Friedman wrote.
Database updates often have complex and unpredictable effects, which leads many administrators to ignore patches, a recent Dark Reading article noted. Additionally, databases are vulnerable not only to flaws within the database itself but also in any applications that connect to it.
"If an application uses a database back-end – as they always do – and that application is vulnerable to attacks, SQL injection, for example, then the database that it has rights to read and write from becomes vulnerable to the same attack," Barry Shteiman, director of security strategy for Imperva, told Dark Reading contributor Ericka Chickowski. "It is a chain reaction."
Protecting the data
With the combination of application-level threats and poor patching practices, software vendors can help clients protect their users' data by building higher quality programs to begin with. By getting more aspects of the software right up front, the vendor reduces the number of updates and the amount of work required to meet software security needs down the line, a Forrester report explained. One of the best approaches companies can use is to design architectures as simply as possible to reduce the risk of errors.
"Simpler, cleaner designs result in code that is simpler, cleaner, and easier to test and rework – which means that the code will have fewer bugs and that those bugs will be easier to diagnose and repair," Forrester's Margo Visitacion and Mike Gualtieri wrote.
One of the best ways to improve design is to define requirements more clearly up front and for developers to maintain clear channels of communication as they refine the program and change requirements, they added. Additionally, developers can benefit from testing more intelligently and efficiently, focusing testing efforts on the most critical portions of their code to catch bugs in the most vulnerable features – in the case of protecting databases, that might mean the parts that interact with the database back end, for instance. Smarter testing tools such as static analysis software can simplify and speed up the actual testing process.
"Automating testing is particularly useful for teams using Agile processes, because they are apt to test more often, across many iterations," Visitacion and Gualtieri wrote, adding that doing so will reduce defects.
While strengthening database security will remain a constant challenge, vendors can help end users out by building higher quality applications and database architectures. Rather than buying into the expectation that organizations will stay up to date with patch cycles, developers can offer stronger software security up front.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.