In late September, Shellshock exploded, becoming the internet's newest "big problem." Stemming from a flaw in Bash — the default shell for OS X and Linux, and often installed on Windows-based devices as well — the vulnerability caused a wave of panic, exploits and, subsequently, patches to fix this 25-year-old problem. But this is just the latest in a series of threats like Heartbleed and the Backoff point-of-sale (POS) malware, and companies are starting to wonder: Can IT security ever prepare for what's coming next?
According to Ars Technica, the fallout from this Bash bug is far from over. While security companies raced to find a quick fix, malicious attackers started looking for targets of opportunity and fine-tuning the Shellshock vulnerability to meet their needs; in fact, some cybercriminals are still using Google searches to find potential victims and execute new attacks. But there's a bigger problem: When agencies discover these kinds of flaws, their first act is typically to report the problem and enlist the aid of security researchers, who then develop proof-of-concept attacks to demonstrate threat severity. If these proofs appear before a patch is deployed, however, attackers are essentially supplied with a company's alarm code rather than being forced to break a window. This has led to a heated discussion about how such disclosure should be handled after flaws are discovered — is broad reporting always the right idea?
Regardless of the outcome of this debate, companies now have to operate in environments where vulnerabilities are common and attackers can gain access to threat profiles before patches are developed. Mo Rosen of Xceedium puts it in perspective: "You have to assume you've been breached. You operate with the mindset of a world where you've been partially breached all the time." Sounds terrifying — but there's a better way.
Joe Pelletier, senior product manager at CA Veracode, agrees that "vulnerabilities are inevitable" and will occur across internal, legacy and web applications; but, as demonstrated by Shellshock, third-party, highly popular applications are also at risk. For enterprises to achieve peace of mind in this kind of environment, they must leverage solutions that scale to the breadth of security challenges, respond to threats as they emerge and implement processes that reduce the risk of production vulnerabilities.
The first step to achieving these goals involves the use of software-component analysis programs that create an inventory of all third-party components, along with a portfolio-level view of which applications carry the most potential risk. Next, companies must invest in large-scale automation to test all applications, not just those defined as "critical" — no one considered Bash a critical program until Shellshock made an appearance. Finally, Pelletier has advice for companies looking to future-proof against new threats: they "need greater visibility into the third-party and open source components used in applications developed across their organizations. Applications are constantly changing and coming online, so implementing application perimeter monitoring programs are a great way to achieve this visibility."
Enterprises are understandably concerned about every piece of software and every application they use — when trusted programs go rogue and the publication of private information puts organizations at risk, it's difficult to find any measure of safety. Pelletier's right: Vulnerabilities are inevitable. But the right application discovery and testing solutions give insight into applications' ecosystems and offer active defenses against new threats, rather than waiting for the next big breach.
Photo Source: Descrier via Flickr