At least 70 per cent of security breaches occur because of poorly written code with zero thought for security, says S S Kumar.
There has seen a surge in the quantum of cyber attacks, recently, leaving most organisations in a state of utter confusion. Until now, most organisations felt safe if their network was protected with firewalls.
Not any more.
This is because of the misconstrued notion that cyber attacks are successful mainly because of the weakness of the networks used. You strengthen the network with firewalls and everything will be safe. Nothing could be far from truth.
The fact often missed is that weak networks account for only up to 20-30 per cent of cyber security breaches. The other 70 per cent (some even estimate this to be up to 90 per cent) of the security breaches occur because of poorly written code with zero thought for security.
The sad part is that in India very few have been professionally trained to write secure code that can withstand a hacker's break-in attempts. It is only now that a beginning is being made.
A counter strategy to cyber attacks can be implemented in three ways:
- Most solutions offer a scanner that flags off all the identified vulnerabilities in your existing code.
A vulnerability is defined as a weakness in your code that allows a hacker ready entry into your code and cause havoc. While choosing scanners, be careful in selecting one that throws up a minimum number of false positives, which can send you on a wild goose chase and waste your productive time.
Tools like CheckMarx score high marks in this regard.
- Once you have zeroed in on the vulnerabilities, your next task is to rewrite the vulnerable portions of your code with stronger code.
While experienced people can fall back on their ingenuity to mentally replace these portions, those at the beginning of their familiarisation cycle can depend on tools such as TeamMentor to seek ready alternatives that can replace such vulnerabilities in a jiffy.
- After the above two steps have been carried out, one would still like to know how safe is the repaired code against future cyber attacks.
Most organisations, to be doubly sure, invoke a tool like Holodeck that simulates cyber attacks just as a cyber attacker would do.
If the revised code is able to withstand the simulated attacks in-house, it is ready to face the outside world of ruthless cyber attackers; else, it goes back to the development lab for further corrections.
This approach follows the dictum that it is much cheaper to fix a vulnerability problem within the lab compared to paying anywhere from 60-100 times more in the field after release.
Smarter organisations have started using CheckMarx to explore the security quality of their incremental code written the previous day by letting Checkmarx run overnight or early morning next day to ensure a uniformly high quality of code from the security angle.
Since cyber attacks are recent in nature, it offers a ready opportunity for IITs/NIITs to start teaching students on how to write secure code, so that when they graduate they are industry ready.
Considering the fact that banks in India have already lost nearly Rs 7 crore (Rs 70 million), thanks to on line frauds, it is a nascent area requiring large scale expertise, which is simply not available on date.
Such institutes may want to look at a tool like TeamProfessor/e Learning, for starters.
******
The author is chairman & managing director of Astral Systems (India) Pvt Ltd, Bangalore.
