As traditional enterprise perimeters become increasingly difficult for hackers to break through, they are turning their attention to the new weakest links in the chain. A handful of recent security breaches that affected Yahoo prove just how dangerous third-party software can be, and that an enterprise can take all the blame for security vulnerabilities in software that it had little to do with. CISOs have to understand that third-party software and vendors act as an extension of the enterprise itself and require the same security-based scrutiny as code built in-house.
The Yahoo Security Breach
No company is more aware of the danger posed by poor third-party code than Yahoo, which has suffered a number of high-profile incidents in recent years. In 2010, Yahoo acquired the online publishing platform Associated Content and rebranded it as Yahoo Voices. Even though the rebranding process didn't take long, Yahoo didn't immediately integrate the Yahoo Voices accounts into its own authentication process; rather, it relied on its existing platform. Two years later, a hacker found a SQL-injection (SQLi) vulnerability and used it to penetrate the Yahoo Voices servers, collecting more than 400,000 usernames and passwords.
A similar attack occurred later that year, when a hacker used SQLi to gain access to AstroYogi, an India-based astrological website. The problem for Yahoo was that it contracted with AstroYogi and rerouted users from its Lifestyle site to the affected astrological website, which operated under the Yahoo brand. Because user credentials had to be sent to the vendor, the hacker had access to the credentials of any user visiting the astrology site. In this particular case, the hacker appeared to be benign (going public with the hack only after Yahoo ignored requests to fix the vulnerability), but Yahoo's reputation certainly took a hit.
Yahoo was once again victimized in early 2014 when an unspecified number of account credentials for the company's popular email service were stolen, as detailed in Forbes. Yahoo claimed its servers were secure and that the breach occurred at a third-party database, but provided no further information on the attack.
The common thread between each Yahoo security breach isn't that the company can't secure its servers — in fact, its internal security seems to be robust — but rather that, in an age where outsourced IT is the norm, enterprises have to expand their security solutions to include third parties as well. With attacks on third-party software becoming so commonplace, CISOs need to consider the outsourced elements of their IT departments as their true security perimeters.
The Emerging Threat Posed by Third-Party Code
The two major attacks on Yahoo in 2012 occurred at the hands of a SQLi vulnerability, which consistently ranks as one of the most damaging vulnerabilities on lists such as the OWASP Top 10 and is exactly the kind of issue a true security solution is designed to address. No major company would survive if these types of vulnerabilities existed on its base software or websites, but it's all too common for smaller firms to forgo security testing and rely on their anonymity for protection.
When enterprises either acquire or contract with smaller firms, enterprise CISOs must demand that software undergo the same security scrutiny as rest of their systems and software. In fact, it's a good practice for CISOs to believe that all software received from third-party vendors is vulnerable until a reliable security report proves otherwise.
The problem becomes even more complicated when enterprises outsource certain aspects of their software development, which can restrict their access to an application's source code. CISOs have to insist that security standards and remediation rules be included in any vendor contract, and then supplement each contract with various security assessments. Once code is delivered, CISOs should ensure that it is scanned for security vulnerabilities before it is released into production.
Yahoo's recent struggles should serve as warning signs for other enterprise CISOs. Businesses can no longer continue to ignore the risks posed by unchecked third-party software; instead, they must seek complete vendor security solutions that align their entire security perimeters with corporate security standards.
Photo Source: Flickr