Word Notes 2.8.22
Ep 87 | 2.8.22

OWASP software and data integrity failures (noun)


Rick Howard: The word is: OWASP software and data integrity failures.  

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, software for instructions that tell the computer what to do, data for information stored on a computer, and integrity failures for support structures that are supposed to be sound that turn out to be faulty.  

Rick Howard: Definition: Code and data repositories that don't protect against unauthorized changes. 

Rick Howard: Example sentence: Software and data integrity failures happen when an application relies upon plugins, libraries, or modules from untrusted resources, repositories, and content delivery networks, or CDNs. 

Rick Howard: Origin and context: David Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2009 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications.  

Rick Howard: Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock. In 2021, the community created a new category called Software and Data Integrity Failures, and listed it at the number 8 position. The main idea is to protect code and data sources from unauthorized and undetected change. 

Rick Howard: OWASP pundits have cited the 2020 SolarWinds compromise as the perfect example of this kind of failure. In that attack campaign, hacker group APT29, also known as Nobelium, compromised the SolarWinds network, found the company's code repository, and inserted a remote access Trojan, or RAT, into the SolarWinds Orion product (a commercial network management system). 

Rick Howard: When some 18,000 customers downloaded the next software update for the Orion product, they also downloaded the RAT. OWASP recommends several mitigation tactics to defeat this king of attack vector:  

Rick Howard: Number 1: Sign internally-developed software and insist commercial and open source software that you use does the same.  

Rick Howard: Number 2: Verify that you're only using code libraries from trusted repositories.  

Rick Howard: Number 3: Scan internally-developed an open source software for known vulnerabilities.  

Rick Howard: Number 4: Establish a review process for code and configuration changes.  

Rick Howard: And finally, number 5: Enforce segregation, configuration, and access controls on your continuous integration/continuous deployment pipeline.  

Rick Howard: In the aftermath of the APT29 attacks, the SolarWinds' CISO, Tim Brown, rolled out a new software design strategy he called Secure By Design that incorporates many of the OWASP recommendations.  

Rick Howard: But I want to be clear here, none of these mitigation strategies, if implemented by any of the 18,000 SolarWinds customers, would have protected them from the APT29 attack. From their view, the attack is a supply chain attack from a trusted vendor. Their best bet to reduce the probability of supply chain risk is to pursue a robust zero trust strategy by severely limiting permissions and access by the Orion product. 

Rick Howard: On the other hand, the OWASP recommendations are for those organizations who build their own software intended for both external, and perhaps internal use, like SolarWinds. 

Rick Howard: Nerd reference: In November, 2021, M J Shore, the senior vice president and executive director at the Comp TIA ISAO, hosted Tim Brown, the SolarWinds CISO, to discuss the APT29 attack. 

Rick Howard: This clip is Tim describing his response in the initial hours after the attack notification.  

Tim Brown: December 12th. So it was a Saturday. Our CEO got a call from Kevin Mandia and said, "Hey, we believe that you've shipped tainted code." Of course I got a call very quickly after that. And, then I got a call with the CTO for a FireEye. We went through details very quickly. We realized that yes, that's the case. So we started marshalling people together and started working on kind of the response. This one was different and that we didn't need to do a lot of research to determine, Hey, this was real, right? Boom. Got it. It's real.  

Tim Brown: We started pulling the right people together on Saturday and the right people together, kind of interesting, right? So that included our legal team. So we have DLA Piper as an external legal counsel; learned afterwards that they're the largest legal firm in the world. But they came in with their forensics team. With them, we brought in CrowdStrike to start, really, a macro investigation of the environment and start doing that. 

Tim Brown: So this was all on Saturday as we're going through stuff first on the phone.  

Tim Brown: Sunday morning we were in the office and started in a war room, just working through all of the details because as a public company, on Monday morning or Sunday night, we needed to get information out to essentially the street. 

Tim Brown: So a 10 K had to get filed. So timelines were just, really compressed. FireEye was planning to be public with their information on Sunday. So it was a lot to do in those first 24 hours.  

Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.