<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=113894&amp;fmt=gif">

SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

"The DCCC Hacked:  SQL Injection?  Come on."

Jeff's comments here are a follow-up to his blog post "International hacks, politics and knee-jerk cybersecurity... never a good mix - Russia & the DNC Hack." You may want to read that post too!


Some software is more important than other software. The software in medical devices that keeps people alive? That’s important. The software that controls the economy?  Important. The software that controls airplanes. Again… important. And the software that undergirds our democracy … the software that ensures our elections are fair? That’s pretty important stuff.

We need to hold the purveyors of this important software to a higher standard. We must have assurance that these critical applications are resilient against those who would undermine our democracy. This assurance isn’t necessarily easy to generate. Building rugged software that has strong defenses against both expected and unexpected attacks takes a level of rigor not found in most software organizations.

But we are not even close. Maybe not even really *trying*. When a voter records system is susceptible to SQL injection, we should all be concerned. SQL injection has been well known and well understood for over 20 years. It has headlined the OWASP Top Ten for 14 years. Protecting against SQL injection isn’t even tremendously difficult.

Could these attackers have modified voter records? Maybe even affect whether voters who thought they were registered could actually vote when they show up on Election Day? Or maybe the bad guys sell these records to one of the candidates, so they can target those critical “undecided” voters better. 

I’ve reviewed the code of an electronic voting/election management system for one of the major vendors. I can only say that I expected better. What we found was that these systems have the same types of security mistakes as everything else. Which is to say they had a lot of easily identifiable vulnerabilities.

Let’s raise the bar for software that’s part of “critical infrastructure.” We shouldn’t have to blindly trust that software has basic security protections. Many years ago I proposed a “software facts” label that would let software buyers and users know about the security in an application. I find this highly preferable to a liability regime, and something that wouldn’t put undue burden on software producers. Let’s go Congress, FEC, FTC, NIST, DHS, NSA, and POTUS….

You know that quote from Marc Andreessen, “software is eating the world”?  Well it just might.

~Jeff Williams
CTO & Founder, Contrast Security

Here are a couple of links to articles that pertain to this topic:
Cyberattack Compromises Unknown Number of Voter Records in Illinois
Exclusive: FBI probes hacking of Democratic congressional group - sources

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.

SUBSCRIBE TO THE BLOG

Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook