Taking a gander at the security landscape

As our manager settles in at his new job, he has begun to see security vulnerabilities everywhere he looks.

Looking around at how things are done at my new company, it's pretty easy for me to find security problems lurking virtually everywhere.

For example, the first thing I noticed was that my proximity access badge was blank: no picture, no name, no recognizable icon to indicate that I'm an employee. I mentioned this to the people in human resources, but the concept of a personalized access badge seemed foreign to them. So I told them about something that had happened years ago at another company that used blank access badges. An intruder got hold of one, then, claiming he was a new IT desktop support staffer, came along and walked out with all the unsecured laptops he could carry. The stolen badge, looking like all the other badges issued at that company, told the people he encountered as he gathered up his haul absolutely nothing.

I also found in my new company doors that don't close properly and a data center door that is secured with a key rather than a proximity badge and biometrics. There are cameras at the exit doors and in the lobby, but no one is monitoring the video feed, and the recordings aren't retained according to a consistent plan. But though it was easy to find ways that physical security was lacking, my real concentration has to be information security. And there's plenty there to keep me busy too.

A good place to start is at the core of what this company does: writing software that is made available to customers via the cloud and Web browsers. We make our application programming interfaces (API) freely available to our customers so they can extend the functionality of our software by using Web services to integrate their own or third-party applications with our software products. For example, a customer might want to expose Salesforce data within our application, or add Chatter, a chat collaboration tool, so that their chat communications appear within our application.

Our API is what is called a REST (representational state transfer) API. When customers want to integrate another app with our software, they install the API on their server. Then the API authenticates to our application to either get data out or put data in. The way the API authenticates is similar to a person authenticating, and some of the same security concerns exist. Strong authentication, authorization, encryption and data validation are just some of the security controls that need to be in place. And I wanted to know if they were in place.

In reviewing several of the configurations that customers have in place, I noticed, for example, that many API integrations weren't restricted by IP address. I'm a big proponent of the rule of least privilege, and I make no exception when it comes to APIs. If our API code exists on a customer's servers, then only those servers should be allowed to make an API call to our application; any other IP address should be locked out. This is a very simple configuration, very similar to what we do for user accounts.

Another problem that I found concerned Web services accounts that were tied to a person. Web services accounts should be tied to an independent system account, not a person. People leave, and when they do, their accounts should be deleted. You've got a problem if the deletion of one of those accounts affects the API integration.

My review did turn up a bright spot: Encryption in transit isn't an issue for us, since we force all connections over HTTPS, also called SSL Everywhere.

By the way, if you're interested in assessing the security of API or Web services calls in your company, there are many resources on the Internet that provide a wealth of information. My favorite is one published by the Open Web Application Security Project (OWASP). I also recommend hiring a trusted third party to review any developed code and architecture to ensure that you're using this technology in a secure manner, since there's potential for big trouble if you're not.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securitysecuritydata protection

More about Click

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts