Cloud security: Third party code

Using third party code in cloud computing can be a security risk for users since the code does not originate from the developer, allowing hackers an easy avenue to breaking into networks.

02/19/2013


ISS SourceWith cloud computing becoming more of an entity in the industry, there are dangers involved with using third-party code, a new report said.

Part of the explanation comes back in December when a hacker breached Yahoo! with an SQL injection attack that took advantage of a vulnerability in a third-party application that was provided on the Yahoo! Web site, according to a report from Imperva.

This attack highlights the risk that many Web applications face: Web applications may contain some sort of third-party code, such as APIs, not created by the developers.

“The weak link in the Yahoo! attack was not programmed by Yahoo! developers, nor was it even hosted on the Yahoo! Servers, and yet the company found itself breached as a result of third-party code,” said Amichai Shulman, CTO, Imperva. “The challenge presented by the Yahoo! breach is that Web-facing businesses should take responsibility to secure third-party code and cloud-based applications.”

Technically, security teams should:

  • Protect third-party Web applications against SQL injection and other Web attacks: Incorporate security into the software development life cycle, perform penetration tests and vulnerability assessments on the application, and deploy the application behind a Web Application Firewall (WAF).
  • Harden your system: When the application goes from development to production, the system configuration needs to harden to disable any irrelevant parts that may help the attacker. In the hardening process detailed error messages should end up disabled, there should be restrictions on excessive file and directory permissions, and you should delete source code leftovers.

From a business standpoint, executives should always assume third-party code – coming from partners, vendors, mergers and acquisitions – contains serious vulnerabilities.

Some recommendations:

  • Put in place legal requirements in a contract for what you will and will not accept from a security perspective.
  • Incorporate security due diligence for any merger or acquisition activity.
  • Require coding standards and security requirements in every specification between you and the third party.
  • Demand metric reports for security of the vendor’s code that are repeatable and verifiable.
  • Require that all security requirements are met prior to the first time the code executes in your environment.
  • Require a comprehensive review of possible vulnerabilities resulting from new external services operating in conjunction with your current services.
  • Require a report specifying security issues and measures taken to address them for every task and deliverable from the vendor.

Click here to download the complete report.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Big plans for small nuclear reactors: Simpler, safer control designs; Smarter manufacturing; Industrial cloud; Mobile HMI; Controls convergence
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.