Opinion: Companies Failing To Protect Against Insider Threat From Software Developers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Opinion: Companies Failing To Protect Against Insider Threat From Software Developers

Companies are failing to protect themselves from threats that might be planted in custom code.

There's lots of talk in the industry about how companies can guard against outside IT and network threats. But what can they do to shield themselves from the possibility of in-house developers, consultants, testers and other tech-savvy "insiders" entering malicious code or gaining access to live data?

Well, that's a weighty problem facing many businesses today. And it exists not because of the lack of tools but a lack of foresight from the IT industry in general.

In recent years, the market has been saturated with many kinds of intrusion-prevention tools to address various application vulnerabilities. But no programming methodology exists today that prevents the most trusted users from getting away with wrongdoing.

While regulatory standards such as Sarbanes-Oxley and HIPAA, including the open Web application project, address some security measures through an audit process, they fail to impose enterprisewide abstraction layers that prevent key IT users with application and/or database access from gaining direct access to critical financial data.

Instead, standards mainly focus on enforcing confidentiality. They provide general guidelines for companies to concentrate on access control issues, application configurations and code vulnerabilities.

Code reviews, which are usually performed by program team leaders and project managers manually, don't take into account systemwide malicious code that can be introduced by in-house developers. And to put it bluntly, code written at the unit level is free to do whatever programmers want it to do.

For instance, there currently are no step-by-step code search procedures and guidelines to help managers identify backdoors. These vulnerabilities are found only when theft becomes too obvious or by chance during auditors' code reviews.

Simple social engineering techniques used by in-house programmers are the dirty secret in the application security space, and everyone seems to be sleeping on it. Even the strictest security policies that can be implemented today don't address this issue directly.

The root of the problem stems from the lack of substantive connection between application design and code. Even if code is thoroughly reviewed--during test phases or when applications are placed in maintenance cycles--there are no methodologies to help managers identify flaws.

This security vacuum can be fortuitous for solution providers looking to improve their application security solutions. Since there are no concrete testing methodologies that can prevent nefarious code from being introduced into production systems, solution providers can offer expert reviews during application testing. They also can build simple parsing tools and spider search techniques to look for telltale signs of wrongdoing.

That, at least, could be an initial step in helping many businesses tackle a largely overlooked security problem.

MARIO MOREJON is a technical editor for the CRN Test Center.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll