Unauthorized access to sensitive data, also known as sensitive data leakage, is a pervasive problem affecting even those brands that are widely recognized as having some of the world’s most mature software security initiatives, including Instagram and Amazon. Sensitive data can include financial data such as bank account information, personally identifiable information (PII), and protected health information (i.e., information that can be linked to a specific individual relating to their health status, provision, or payment).
If an organization suffers a sensitive data breach, they’re expected to notify authorities to disclose the breach. For example, per GDPR, the breached firm is expected to disclose the breach within 72 hours of discovery. Such an incident can result in damage to the brand, marred customer trust leading to lost business, regulatory penalties, and the organization funding the investigation into how the leak happened. Data breaches may even lead to lawsuits. As you can see, such an incident could be incredibly detrimental to the future of an organization. There are a variety of regulations in place globally that emphasize the importance of protecting data that is sensitive in nature. So, why then are we still seeing this issue persist?
While we tend to only hear about the massive brands suffering a breach in the news, it’s not only these giant enterprises that are at risk. In fact, small- and medium-sized firms are equally, if not more, susceptible to sensitive data leakage concerns. While the payoff for an attacker isn’t as grand, smaller companies are less likely to have strategies in place to detect, prevent, and mitigate vulnerabilities leading to a breach.
To avoid a sensitive data leak leading to a breach, firms of all sizes need to pay attention to cyber security. Firms often build their own applications, and almost always rely on pre-existing applications to run their business.
If you build your own applications, test them extensively for security. With interactive application security testing (IAST), you can perform application security testing during functional testing. You don’t really need to hire experts to perform vulnerability assessment when you have IAST.
IAST solutions help organizations identify and manage security risks associated with vulnerabilities discovered in running web applications using dynamic testing (a.k.a., runtime testing) techniques. IAST works through software instrumentation, or the use of instruments to monitor an application as it runs and gather information about what it does and how it performs.
Considering that 84 percent of all cyber-attacks are happening in the application layer, take an inventory of the data relating to your organization’s applications. Develop policies around it. For instance, consider how long to keep the data, the type of data you’re storing, and who requires access to that data. Don’t store data you don’t need as a business. Keep information only as long as necessary. Enforce data retention policies. Put authorization and access controls in place around that data. Protect passwords properly. And, train employees on how to handle this data.
While it’s simple to recommend that firms should be taking an inventory of the data being processed by organizational applications, that is, in reality, a massive undertaking. Where do you even start?
IAST not only identifies vulnerabilities, but verifies them as well. When working with traditional application security testing tools, high false positive rate is a common problem. IAST technology’s verification engine helps firms understand which vulnerabilities to resolve first and minimizes false positives.
Sensitive data in web applications can be monitored through IAST, thus providing a solution to the data leakage problem. IAST monitors web application behavior, including code, memory, and data flow to determine where sensitive data is going, whether it’s being written in a file in an unprotected manner, if it’s exposed in the URL, and if proper encryption is being used. If sensitive data isn’t being handled properly, the IAST tool will flag the instance. There is no manual searching for sensitive data. IAST tooling intelligence detects it on behalf of the application owner—who can also alter the rules to fine tune their goals.
It’s also important to note that applications are built from many components: third party components, proprietary code, and open source components. Think of it like Legos. Any one (or more) of the pieces could be vulnerable. This is why, when testing your applications, it’s critical to fully test all three of these areas.
And we can’t forget implications relating to increasing cloud popularity. With the growing adoption of cloud, more and more sensitive data is being stored out of network perimeters. This increases the risk as well as the attack surface. Also increasing are the regulatory pressures and the need to deliver more with fewer resources in the shortest time possible. Under these circumstances, IAST is the most optimal way to test for application security, sensitive data leakage, and prevent breaches.
About the author: Asma Zubair is the Sr. Manager, IAST Product Management at Synopsys. As a seasoned security product management leader, she has also lead teams at WhiteHat Security, The Find (Facebook) and Yahoo!
Source: infosec island