This is a guest post from our partner and service provider, Cigital.
Cigital has been conducting vulnerability scans of applications using the QuickBooks API for the past few years. Though these applications are coming from different companies, we are observing the same set of issues repeatedly. This blog post points to the top HIGH severity issues we observe repeatedly in the vulnerability scans, the impact from each of these issues, and how best to prevent these issues. The top HIGH severity issues are:
Let’s now look at each of the above and understand what the impact would be from these vulnerabilities if not mitigated:
We won’t talk about the other findings in detail here, but we do want to mention what the impact may be.
- Unencrypted login request: Sending user credentials unencrypted can allow a man-in-the-middle to steal user credentials. Programs such as Wireshark can be used to sniff unencrypted packets that contain the account credentials.
- SQL injection: An attacker can perform database operations, such as deleting tables or retrieving sensitive data stored in the database.
- Phishing through URL redirection: If users see a URL that starts with a trusted domain, they will be likely to click on that link. Phishing scammers will use URLs of pages that have redirection functionality to trick users into visiting a phishing site.
Now that we know the security impact from the above vulnerabilities, and understand that the cost to fix these at the deployment stage is very high compared to earlier in the SDLC cycle, the next step is to understand on how best to prevent these from occurring in the first place, and/or catching them earlier in the SDLC process.
We can have reasonable success in prevention through a combination of developer training on security as well as through technology deployed in the developer’s IDE at a minimal cost.
- Technology plugin in the developer’s IDE: In this case, the technology would have flagged 60% of the HIGH severity issues during the code development stage with appropriate remediation guidance for the developer to fix the issues while coding. Security needs to be introduced into the SDLC as early as possible. Cigital’s SecureAssist (CSA) is an IDE plugin that provides guidance to developers as they develop code. For instance, a developer may be writing a SQL query by concatenating user input. CSA provides a description regarding the issues introduced by concatenating user input to queries, and also provides language-specific guidance on how to remediate it using code samples.
- Training: Training the development group is essential. Introducing the developer to industry best practices and providing them training is a key step towards developing secure code. Developing code using best practices will prevent vulnerabilities to be introduced during development. Cigital’s Instructor-led trainings and BuildSecure eLibrary provide a comprehensive set of online company-wide training, covering various languages and platforms.
- Our services are designed to meet the varying needs of our clients. We do understand that there are cases where the standard remediation guidance may not apply, or the developers may need to discuss an issue or remediation in detail. Cigital’s on-demand secure remediation helpdesk service provides to developers the ability to discuss individual issues with the security experts on a need basis. Once the request ticket is submitted, Cigital consultants follow up with the requester to discuss specific details and provide detailed guidance.
Senior Security Consultant, Cigital Inc.
Software Confidence Achieved.