Developer Access: The Threat Within
Creating a holistic, enterprise-wide security approach is a daunting task. These tips can make it easier.
by Robert Grapes
The topic of security is massive, with the task of creating a holistic, enterprise-wide security approach especially daunting. In fact, typical security practices are really just a collection of individual processes developed by a collection of people to address the threats and risks for the diverse set of elements that comprise the network, the infrastructure, the applications and, ultimately, the data. Typically, such disparate activities are then presented as a holistic approach rather than a cohesive strategy.
Taking a holistic view of security requires knowledge in all of these discipline areas as well as an understanding of the business policies and regulatory influences that can impact any decisions to be made.
Planning a holistic security approach helps you:
- Identify and eliminate potential gaps in security coverage by taking the whole view of the organization
- Achieve economies through the re-use or reduction of technology, personnel, services, or processes
- Establish commonalties for compliance across the broad range of regulatory specifications
- Create and communicate clear business policies for access to critical business systems and data
- Gain an understanding of what is possible using commercial technologies and determine what remains to create and maintain
Typically, organizations spend the greatest security efforts on addressing the external attack scenario by creating and enhancing their perimeter security profile. This perimeter defense effort remains a necessary initiative; however, companies are putting a greater emphasis on the insider attack scenario. Many companies are focusing their efforts in the identity and access management market, but almost all of these discussions and solutions are centered on end users.
There is an upswing of interest on the topic of administrator privileged accounts and access rights. Recent breaches involving current and former network administrators have received considerable media attention where entire cities have been held at ransom by a single individual (e.g., Terry Childs and the City of San Francisco). Large corporations have been threatened with complete data failure and possible bankruptcy at the hands of a single individual.
Fortunately, vendor solutions now exist to help organizations tackle their privileged administrator account challenges, and these solutions go well beyond manipulating an end-user identity management tool to manage these accounts. Several of these privileged account management tools offer a complementary fit to an overall identity management approach by providing standards-based integration through SPML and/or other interfaces.
Flying under the radar is another significant threat: developers within an organization. Perhaps not as privileged as administrators, developers have more unmonitored access to data on systems than the typical user. Recently, a large mortgage underwriter faced a potentially catastrophic attack from a developer who had included malicious code in a program that had made it into their production environment.
Luckily this attack was thwarted, albeit more through happenstance than a structured process, but it highlights the damage a developer can cause if there no controls are in place to prevent such an attack. Because this type of attack is automated, it can happen without notice, potentially months after the individual has left the organization. It can be difficult to trace and can have far-reaching results.
Privileged Data Access -- The Threat Within
Think of the developer that created the report that generates your monthly telephone bill, water bill, or credit card statement that contains personal data. That report creates the bills for every customer on the system and has access to all of the data in the billing system. If the developer of this report is in an environment with inadequate controls where account privileges are “over-assigned,” no one is performing code reviews to catch malicious code, or the report program is not scanned for integrity, it is possible that the report could be modified to print out, redirect, or delete all account details. Most organizations implement code reviews and production deployment processes to remove direct interaction of the developer with the production systems, but many do not.
Scripts and programs often contain an ID and password to get to the system that contains the data that the program needs to process. In this scenario, it is likely that the developer placed the ID and password directly into the script or program or into a connection string used by that script or program.
This simple process means that the developer has prior knowledge of the ID and password needed to connect to the system, and there is no mechanism to prevent that developer from re-using that same ID and password to connect to the billing system and appear to be something other than the script or program itself. It presents an opportunity for the developer to be malicious with little traceability or oversight. Since most IDs and passwords are coded somewhere, it makes it very difficult to change them, resulting in scant updates and critical vulnerabilities.
Changing Strategies at the Application Level
Application development is a critical component of a holistic security planning process. In fact, many organizations are moving to remove security logic from the applications themselves and replacing it with code that uses central authentication, authorization, and role and permission management systems.
As development practices and vendor solutions evolve to help abstract security logic from applications, many benefits are realized:
- Increased ability to apply security policy consistently across applications
- Lowered dependency on developers’ understanding of complex security mechanisms
- Greater emphasis on developing business logic rather than security
- Reduced concern over the security issue of using contracted development resources
- Improved holistic security profile through the reduction of production password knowledge throughout the organization
What You Can Do
Companies need to separate application-level security codes, and it’s critical to broaden the definition of the “insider” to include developers. Whether they are employees, contractors, or offshore resources, they represent a significant risk to any organization. For a holistic security management strategy, organizations need to scrutinize the threat within by defining deployment practices that separate roles and constantly monitor for malicious application behavior.
With the ongoing threat of insider and outsider attacks, any holistic approach needs to be reviewed and updated periodically. IT security professionals understand that hackers only get better over time, so companies must arm themselves with a holistic, enterprise-wide strategy to quickly identify and manage security issues, ultimately, minimizing repercussions to the organization.
Robert Grapes is the chief technologist at Cloakware. You can reach the author at firstname.lastname@example.org.