ITSecure Advisory - Understanding Vulnerabilities, Application Security and Vendor Risk

Back to ITS Updates

 

When it comes to information security, we often hear the word vulnerability batted around with headline news stories exclaiming, “a critical vulnerability was compromised resulting in a data breach”. But what exactly is a vulnerability? In its simplest definition, a vulnerability is nothing more than a weakness in a system or component, a business process, or even a person - more on the latter in a different article.  Attackers and malicious actors often go after (i.e. target) these weaknesses and exploit (i.e. abuse) them. Once exploited, an attacker leverages this new foothold to perform more nefarious actions, such as siphoning off sensitive data and records.

Programming errors or software bugs, as they are more commonly called, are one of the most frequent vulnerabilities we encounter on a daily basis. Most of the time, these software bugs result in benign behaviors such as saving a document will also force it to close, or submitting a form that does nothing in return. The consequence of exploiting these vulnerabilities are considered to be a low impact. On the other hand, software bugs can create more serious and unintended consequences, such as granting access to areas of the application that are typically off limits, or exposing your password for theft. The consequence of these serious and critical vulnerabilities can range from a high to severe impact. The race is now on for developers to find and patch these software vulnerabilities before they are exploited by attackers and malicious actors. 

Although there is a wide variety of software bugs, the Open Web Application Security Project (OWASP) has assembled a Top 10 list of the most common software vulnerabilities that are actively targeted and exploited by attackers. These vulnerabilities range from mistakes in coding to improper configurations. Vulnerabilities are guaranteed to exist in any software and application, resulting in an endless pipeline of opportunities waiting to be exploited by malicious actors.

 

Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.

OWASP

 

As owners and stewards of Colgate’s data, it is our responsibility to ensure that data is adequately secure wherever it resides, however it is used. When engaging 3rd party services or vendors, require that they adhere to industry accepted security standards and best practices such as testing and validating their software against the OWASP’s Top 10 Most Critical Web Application Security Risks. In addition, the 3rd party service or vendor must have a rigorous software development model that provides for continued updates and patches. When we transfer our data to these 3rd party services and vendors, we should expect the same level of due diligence and due care when it comes to security.   

If you need assistance in determining or assessing the security risks of a 3rd party service, vendor and/or their proposed technology solution, please contact the ITS Service Desk to request a Vendor Risk Assessment. If you are curious about application security and methods of cyberattacks such as injection and cross-site scripting (XSS), learn more at the OWASP initiative and peruse their Top 10 list

Was this information useful? We're always adapting and changing, just like hackers. Please feel free to send us feedback. We'd love to hear from you and make Colgate more secure.