Security bugs may have wildly disparate paths of extermination. Some are quietly patched with code updates, while others make the national news and trigger companies’ incident response plans. Is your company aware of the data security vulnerabilities it should be addressing? Is your company prepared to respond to a researcher who notifies you of a serious bug, or perhaps notifies the media without any prior notice?

Bugs in all shapes and sizes. Data security vulnerabilities exist for any number of reasons. For example, companies cause their own, such as by misconfiguring implementations or poorly coding websites and mobile applications, leaving them open to common attacks. They also may be using flawed software provided by a vendor and have little control over the vulnerabilities or resolving them, other than waiting for a vendor patch. Or the underlying platforms, operating systems, and transmission methodology may have a vulnerability.

The bug hunt. Companies use various techniques for identifying and resolving vulnerabilities, including code reviews and third-party scans of networks, websites, and mobile applications. Companies can also monitor the many online resources documenting known vulnerabilities, such as the United States Computer Emergency Readiness Team website. Using supported software and promptly implementing security patches are key. Responsible use of open-source software is also strongly recommended. Recent events have shown that an unpatched vulnerability to an open-source application framework can lead to a breach. The infamous Heartbleed bug in the OpenSSL open source cryptographic software library left millions of websites at risk. Notably, for anything other than the most simple systems, assessing the criticality and implications of implementing security patches is not an easy task – among other things, a given patch may have unintended effects on related system components, or the patch may not really be necessary, given the protections provided by other layers of defense. And a company with complex systems could receive dozens, hundreds, or even thousands of patches every week.
Continue Reading Thinking about Bugs