Have you ever had one of those days? Not just a waking-up-on-the-wrong-side-of-the-bed morning, but one of those soul-sucking, I-hope-the-earth-swallows-me-alive days?
I’d like to introduce you to Alex, the CISO (chief information security officer) at mobile app startup, FilmFestFun. Alex is having a very bad day. In the run-up to his company launching their new app, everything that could go wrong has gone wrong—and then some.
The train is late. The build keeps failing. The pen tester finds hundreds of bugs. Alex tries explaining to CEO Kyla that releasing an app with critical vulnerabilities is a very bad move. But she’s not having any of it. FilmFestFun has already spent millions on that night’s launch party, and she wants the app now.
It turns out that Alex’s very bad day could have been a very good day—if only FilmFestFun had used the right software security tools and methodologies, such as:
- Application security training – Integrating application security training directly into your developers’ IDE supports them to learn as they code.
- Software security initiative assessments – Including Legal and Procurement teams in buying decisions for third-party software allows them to manage risks. Also, these assessments support the maturity of your software security initiative and deliver a plan to close gaps and address risk management goals.
- Software composition analysis tooling – Taking open source security as seriously as license compliance is critical. SCA tools help teams to gain visibility and control of open source for security and license risks throughout your software development life cycle (SDLC).
- Threat modeling and architecture risk analysis – Understanding the difference between security software and software security is paramount. Threat models and architecture risk analyses identify weaknesses and address security early in the SDLC to reduce attack susceptibility and avoid costly rework.
- Interactive application security testing (IAST) – QA teams should use IAST tools which find quality AND security issues. Top IAST tooling monitors application testing and provides immediate auto-verified results.
- An SDLC that builds security in from the beginning – Building security activities into the development cycle from architecture and design, all the way through penetration testing, to ensure that you don’t get buried under vulnerabilities at the end.
As we’ve seen many times over, a rush to push apps out can cause issues if the necessary security controls are not applied throughout the SDLC. Let’s examine this month’s 7-Eleven Japan snafu as an example. The global convenience store behemoth shut down their mobile payment app after only two days after hackers exploited a simple security oversight, thus tarnishing their reputation and robbing customers of over £400,000.
How did they pull it off? By simply re-directing the password re-set link to their own email addresses and creating a new password, the unauthorized parties were able to gain full access into individual accounts without any sophisticated hacking methods. This issue would have been trivial to identify through penetration testing. Since we can assume no such penetration test was performed prior to deploying the app, this situation must have made for a very bad day for 7-Eleven’s CISO, among many others.
This lighthearted but oh-so-real graphic novel follows Alex on his journey from development to QA to the legal team as he tracks down where the bugs came from. You may find more than a few scenarios surprisingly familiar. Learn from CISO Alex’s mistakes so you can avoid having your own terrible, horrible, no good, very bad day.