Study Finds Heartbleed-style Attacks Pose Considerable Security Threat

The Heartbleed bug went undiscovered for two years, leaving many sites vulnerable and was responsible for exposing usernames, passwords, encryption keys and other sensitive data. The bug in the OpenSSL’s heartbeat extension was attributed to poor coding lacking bounds checking. A security patch was released and it took care of that particular flaw, but poor code quality still continues to be a gateway hackers exploit in order to gain access. That particular problem highlighted the danger poorly coded applications present, and the minimal attention security experts place on application code.  A new study by CAST, provider of software analysis and measurement, reveals data breaches and security incidents are increasingly being attributed to poor code quality.

The ongoing research the company has been conducting on application software health highlights the vulnerabilities finance and retail industry applications face, with 70 percent of retail and 69 percent of financial services apps showing data input validation violations. Considering these two industries in particular have the highest amount of personal financial information held in applications they use, the threat presents very costly consequences if it is not addressed promptly.

Although the Target (News - Alert) breach was achieved using different tactics, the impact of that attack is still affecting the company as it tries to recover from the 40 million credit and debit cards that were stolen by thieves. The immediate impact was a 46 percentage drop in profits in Q4 of 2013, which was followed by lower customer ratings and the departure of CEO Gregg Steinhafel.

The study also found the highest percentage of applications without any input validation violations at 61 percent belonged to government IT, with independent software vendors coming in last at 12 percent. Financial services had highest number of input validation violations per application at 224, even though the study pointed out their applications, on average, is only half as complex as the largest application scanned.

As the study by CAST points out, organizations must address every possible security vulnerability no matter how minute, because complacency is the hacker’s best friend. The company stated an estimated 309,197 public web servers still remained vulnerable as of June 21, 2014 regarding the Heartbleed bug even though a security patch is readily available. Additionally, it reports input validation attacks were exploited in 80 percent of attacks against applications last year in the retail industry alone; the eBay (News - Alert) data breach that resulted in 145 million user records being compromised is the biggest example.

“Some security experts argue software security is different from software quality and should be treated separately. The CRASH Report data proves this is false. Badly-constructed software won’t just cause systems to crash, corrupt data, and make recovery difficult, but also leaves numerous security holes,” said Dr. Bill Curtis, chief scientist at CAST and author of the CRASH Report.