When you’re on a roll, ride it out. I’ve been on the “Redux” train for a couple of days. I usually do this when I review our security architecture initiatives at the end of the year.

Way back in 2000, I said in a USA Today interview that it wouldn’t surprise me if there were product liability lawsuits against software vendors because their code had simple well known errors that could cost customers like you and I a lot of money and loss of reputation. I regret making that statement but not for the reasons you may think.

My thought was that software vendors would start fixing their code by removing well-known software vulnerabilities. What happened was the End User License Agreements (EULA) were modify to absolve the vendor of any damages caused by their product or limiting the damage to the amount of the purchase cost of the software product. Read the EULA of software purchase by your company to see if such a clause exists.

All is not lost. Some software vendors have made good faith efforts to fix as many errors as possible in their products. Certainly the OS vendors (Windows, Mac OSX, Unix/Linux) have made tremendous strides in eliminating vulnerabilities from their OS products. Application software vendors are slower in responding.

It’s time for us to understand what vulnerabilities may be present in a vendor application before it bites us. Application security questionnaires are a good first step in helping you determine what other compensating controls you may need to purchase. Take a look at brief to see an example of such a questionnaire.

This form is sent to the vendor as part of the purchase process. The results are analyzed by the IT security office that then passes a recommendation to the purchaser. The recommendation may range from a) the product looks ok to b) you can buy the product but you will need to purchase additional hardware or software to protect your sensitive data.

Our intent is not to prevent a department from buying a software package but to inform them of the risks of using such a package.

Some vulnerabilities like SQL Injection, Cross Site Scripting have been around for almost 6 or 7 years. Why are they still in software products created in 2014?  Why are we still buying such products?

Here’s a great little presentation on the top 5 application errors. As a disclaimer, I’m not associated in any way with Veracode.

See you next time.

Leave a Reply