Cyber criminals can access sensitive data through unauthorized access. Learn how to use safety standards to implement preventative measures.
The end of the traditional perimeter
The traditional data center has undergone many fundamental changes over the years. Once upon a time, there was the concept of a stand-alone data center and internal network protected at the outer boundaries by network and web application firewalls. In this scenario, within the physical building, the company-owned endpoints were approved so that they could easily access the data through the internal network.
With the migration of business data and applications to the cloud, the bring your own devices (BYOD) paradigm, and the growing adoption of remote working, the traditional security perimeter has disappeared. Organizations now face the challenge of defining new security policies to mitigate the risks associated with a perimeter-less network: sensitive data leaks and breaches of data privacy and regulatory compliance.
Identity and context as a new perimeter
With the increasing use of BYOD smartphones and tablets / laptops, and the growing number of employees working from home, all devices and users must be authenticated and validated before they can access SaaS applications and internal company data. . There are many security tools that can perform multi-factor authentication (including biometrics) or correlate multiple devices with the specific identity of a single user to ensure authorized access and prevent cyber attackers from entering. Other security tools (e.g. SIEM / UEBA and CASBs for cloud applications) may use factors such as device location (or IP address), time, volume, and types of file downloads to report abnormal behavior that could lead to a data leak. Critical applications can also be isolated or protected against unauthorized access.
Compliance with safety standards
Top 10 OWASP and Top 10 OWASP Mobile
Web applications can serve as a channel for hackers to access sensitive data. The OWASP Top 10 presents the 10 most critical security risk categories for web applications. For example, during an SQL injection attack, hackers attempt to access sensitive data in a database without proper authorization by executing unintentional commands through a web input form. Another danger to web applications is exposure to sensitive data. According to the Open Web Application Security Project (OWASP), “Many web applications and APIs do not adequately protect sensitive data, such as financial data, healthcare, and personal information. Attackers can steal or modify this weakly protected data to commit credit card fraud, identity theft, or other crimes. Sensitive data can be compromised without additional protection, such as encryption at rest or in transit, and requires special care when exchanged with the browser. Likewise, the OWASP Mobile Top 10 describes the main risk categories for mobile applications.
Top 25 of the Common Weaknesses List (CWE)
The CWE Top 25 is a list developed by the community and managed by MITER. This list lists the most dangerous software and hardware weaknesses that are often easy to find and exploit, and which can allow cyber attackers to take complete control of a system, steal data, or prevent an application from breaking down. function. The CWE team created the 2020 list by leveraging the Common Vulnerability and Exposure (CVE) data in the National Vulnerability Database (NVD), along with the associated Common Vulnerability Scoring System (CVSS) scores. at each CVE. Some of the top 10 weaknesses include both quality issues (eg, buffer out of range, usage after free read or write, and out of range) and security issues (eg, cross-site script, incorrect input validation, SQLI, forging cross-site requests, and the exposure of sensitive information to an unauthorized actor).
CISQ’s automated source code data protection measure
The Consortium for Information & Software Quality (CISQ) coordinated a new OMB standard, the Automated source code data protection measure. According to CISQ, the measure is “based on a collection of relevant CWE that can be used to meet the needs of businesses and the supply chain for data protection, confidential information, intellectual property and privacy. . These CWE are currently available for use. This new standard is very relevant for GDPR, CCPA and Cybersecurity Maturity Model Certification (CMMC) for controlled protection of unclassified information.
The standard seeks to highlight CWEs that can allow data leakage, i.e. those that have CWSS technical impacts that allow unauthorized access to read / modify data. The CISQ notes that “Analysis of the code that will run or run in businesses (on systems and devices that process or transmit data) would determine whether the systems or devices allow a data leak. If so, such an analysis would reveal whether the data protection / privacy controls associated with the process evaluation have not been properly implemented.
Static application security tests (SAST) as well as other AppSec tools (e.g. interactive application security testing (IAST), software composition analysis (SCA), and dynamic application security tests (DAST) can help development teams automate the identification and remediation of vulnerabilities and security weaknesses in key categories listed by standards, such as OWASP Top 10 and CWE Top 25.