Our Blog

Ah Software! Yes, Software is Eating the World…But You Need Security

Software is all around us – it is in our smart phones, our cars, our TVs, our fitness trackers, and it is increasingly making up the critical infrastructure that supports hospitals, transportation, finance, government, and more.

Systems that were once controlled by humans or machines are now depending on code.

When functionality of these systems has life or death implications or has implications on companies’ data and customer protection or controlling critical activities such as air traffic or public safety, security is paramount.

Now imagine that your credit card data, your social security number, your entire identity could be sized in a data breach and transferred to the dark web, where it could be auctioned off for few bucks. And now, an identity thief could be sitting on your information waiting for the perfect time to strike.
And, software is the one that could enable someone to take your data information as well as the solution to prevent.

So, it’s extremely important protecting your software by developing and maintaining them with high standards. This way you can protect company’s information, customer information, your information.

You may remember the 2013 Target Stores data breach that put the credit-card numbers and personal information of millions of people into the hands of cybercriminals. Or you may have been asked to change your Yahoo password in 2016. Both were the results of huge data breaches – yet neither breach was the worst in history.

In a truly remarkable turn of events, Yahoo in 2016 not only claimed the crown of Biggest Data Breach Ever with the September disclosure of a 2014 breach that affected 500 million users. It came back in December to disclose a breach from 2013 that compromised a whopping 1 billion user accounts. That’s one for every seven or eight people on Earth.

The unidentified 2013 hackers, said to be unconnected to those behind the 2014 break-in, got the whole shebang: names, dates of birth, email addresses, security questions and answers and weakly protected passwords. (The passwords in the 2014 breach had better protection.)
You may be wondering why Yahoo took two or three years to discover these breaches.

The massive Yahoo breach revealed in late September 2016 not only capped a summer of huge data-breach disclosures, but was the biggest data breach on record until another Yahoo breach doubled it. Yahoo, in the middle of selling itself to Verizon, said “a state-sponsored actor” instead of a regular cybercriminal was likely behind the theft, said to have occurred in late 2014.

Compromised information included real names, email addresses, dates of birth and telephone numbers, helpful to spammers and identity thieves. The good news is that the “vast majority” of the passwords were hashed (run through an irreversible mathematical algorithm) using the so-far-uncrackable Bcrypt method.

Another massive invasion of personal/business information happened to LinkedIn. The world’s top business-networking website disclosed its 2012 data breach soon after it happened, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: A whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not “salted” with random data to make them harder to reverse.

That revelation prompted other services to comb the LinkedIn data and force their own users to change any passwords that matched. (Kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn did not further investigate the original breach, or to inform more than 100 million affected users, in the intervening four years.

When hackers gain access to a treasure trove of names, Social Security numbers, birth dates, street addresses and, in some instances, driver’s license numbers. With those sets of information, miscreants can pose as you to set up credit cards, mortgages, loans and other important agreements.
So, the responsibility to ensure this never happen depends on how companies’ set their policies protecting their business and data information from customers, clients, partners, vendors, etc.

When the issue happens – the cost to fix could be very high. Not only the technical solutions necessary to improve, to detect and to stop an attack but also the cleanup costs – which included fighting class-action lawsuits brought against the company and the PR cost to improve company’s image.

In April 2011, unknown attackers targeted the PlayStation Network that links Sony’s home gaming consoles, as well as Sony Online Entertainment, which hosts massively multiplayer online PC games, and the Qriocity video- and music-streaming service.

Initially, Sony said that only the personal information of 78 million PlayStation Network users – login credentials, names, addresses, phone numbers and email addresses – had been exposed. But the tally of compromised accounts rose by 24.6 million when investigators discovered the attackers had also penetrated SOE and Qriocity. The credit-card data of approximately 23,400 SOE users in Europe was also stolen.

Following the initial breach disclosure, the PlayStation Network went dark worldwide for more than three weeks. In May 2011, Sony estimated its cleanup costs – which included fighting 65 class-action lawsuits brought against the company – at $171 million.

The question here is, is your organization ready to spend millions of dollars in cleanup costs? This kind of expense can take companies out of the business.
Companies should take the assumption that every organization should secure its information assets -from the initial stages of development- by applying best security practices to their applications. This is the only way you can prevent major damage to your data, infrastructure and customers.

GeneXus is the platform for creating apps for mobile, Web, Windows and legacy platforms that automatically generates and connects every required functionality, service and database, from the client-side to the server-side, in the appropriate language, with the optimal data structure.

And to ensure a process for creating apps provides high standards we implement security solutions most adequate for those using GeneXus.

For those using GeneXus we provide security diagnosis for applications developed with GeneXus (Web and Mobile Devices). This includes the analysis of the GeneXus KB and the system in runtime enables the detection of existing vulnerabilities. This is a major step to set high standards in security during app development.

On top of that, working with GX Consultant we offer to GeneXus users solutions such as consultancy for implementing secure development cycle with GeneXus. In this case, we offer security services applicable to each stage in the development cycle of an application: requirements, architecture and design, development, testing, and applications in runtime.

And to make the GeneXus environment even more secure, another offer is the security training with GeneXus. This is a theory course that provides to the attendants the use of practical tools necessary for developing applications capable of mitigating security risks. The working method is referred to the OWASP Top 10 and how to mitigate such risks in GeneXus applications.

By the way, the next security training is scheduled for September 10, 2018. At this training we do create awareness among those involved in the development of software solutions with GeneXus about the importance of security and techniques for the detection, validation, and mitigation of potential risks in applications.

Please visit the website https://genexususa.com/security-course-genexus-web-applications/ for more information.

GeneXus and GX Consulting, can help you identify and mitigate significant risks by including the security concept throughout your application’s development cycle, from the planning stage to production rollout.

Reflections GX28
A Smarter Development Tool for the Next Big Wave of Digital Transformation