1(630)802-8605 Ravi.das@bn-inc.net

Well, hopefully everybody out there had a great Thanksgiving and ate all that could be eaten.  As for me, it was a normal workday, as I had a client that needed something on Black Friday.  So, speaking of which also, how many of have actually gone shopping in a physical brick and mortar store? 

I was out and about in the late morning around here in the Western burbs, but really did not notice too much of actual car traffic on the roads.

But this is does not mean that actual shopping did not take place.  From what I understand based on the news headlines, it appears that most Americans spent their time on Friday shopping online. 

In fact, I think some $7 Billion or over was spent this time around, breaking all time records.  I plan to do some Black Friday shopping of my own but will wait until Cyber Monday to do that.

So, with all of this online activity that is going on, the Cyber Security news headlines are also pouring in on how to stay safe while giving out your credit card number, and all of the fake domains and Phishing attacks that seem to be taking place. 

Nothing new here, as this is to be expected.  But I did come across a headline which stated that Cyberattackers are now heisting the Email address books of both individuals and companies and sending out “fake” Thanksgiving ecards. 

I have never heard of this tactic before, but it just simply shows that the Cyberattacker always has something new up their sleeve.

This now brings me up to the topic of today’s blog.  As we keep getting inundated with Emails and advertisements on YouTube about all sorts of Holiday shopping specials, the trend of shopping online from the comforts is only going to proliferate in the coming years. 

Many brick and mortar stores are realizing this and are thus scrambling to stay ahead of the competition by putting up their online stores.

But keep in mind that in today’s digital world, the Ecommerce or other online shop that you see online is just one aspect of the whole thing.  In other words, this is just the front end, or the “GUI” component of it.  There is a lot more that is happening in the backend, especially when it comes to storing your Personal Identifiable Information (PII) and processing your financial transaction.

Ecommerce platforms of today have become much more complex and even occupy a much bigger chunk of the Cloud storage space than ever before.  A lot of this has to do with the source code that is being used to develop them. 

For instance, back in the late 90’s of the .com craze, all a start up had to do was just create the programming that was needed in just one repository, such as that of Cold Fusion, ASP.Net, etc.  To this extent, it took only perhaps just a few developers to create the Ecommerce site, and it was up and running.

But in today’s times, it takes more resources than just that now to launch a robust Ecommerce site.  As a result, many businesses are now resorting to outsourcing some of their software development needs to other third parties.  While this may be a good move in order to get the site launched on time and to stay within budget, it also carries its own set of grave security risks as well.

Many of these external software developers are only tasked to create a certain module of the source code, and from there, it is then integrated into the entire software stack.  Now while the company that is trying to launch their Ecommerce site has taken the appropriate security measures when creating their own lines of source code in house, the outsourced party more than likely will not have, thus causing even more headaches.

So, in order to bring this issue more to the forefront, an organization known as “The Common Weakness Enumeration” (or “CWE” for short) has just released their report onto the top 25 source code vulnerabilities have occurred during the development process, and in some way, shape or form, has even been the root cause of a Cyberattack.

Here is the list:

Improper Restriction of Operations within the Bounds of a Memory Buffer – 75.56

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – 45.69

Improper Input Validation – 43.61

Information Exposure – 32.12

Out-of-bounds Read – 26.53

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – 24.54

Use After Free – 17.94

Integer Overflow or Wraparound – 17.35

Cross-Site Request Forgery (CSRF) – 15.54

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) – 14.10

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – 11.47

Out-of-bounds Write – 11.08

Improper Authentication – 10.78

NULL Pointer Dereference – 9.74

Incorrect Permission Assignment for Critical Resource – 6.33

Unrestricted Upload of File with Dangerous Type – 5.50

Improper Restriction of XML External Entity Reference – 5.48

Improper Control of Generation of Code (‘Code Injection’) – 5.36

Use of Hard-coded Credentials – 5.12

Uncontrolled Resource Consumption – 5.04

Missing Release of Resource after Effective Lifetime – 5.04

Untrusted Search Path – 4.40

Deserialization of Untrusted Data – 4.30

Improper Privilege Management – 4.23

Improper Certificate Validation – 4.06

(SOURCE:  https://www.securitymagazine.com/articles/91341-mitre-cisa-dhs-announce-25-most-dangerous-software-errors)

The value to the right shows the degree of vulnerability that this particular flaw brings to the table.  In order to calculate it, the CWE used a system took data from the  Common Vulnerabilities and Exposures (CVE®), the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS) and combined all of them based upon a proprietary algorithm that computed that particular score.

An advantage of using this kind of methodology is that it can be used to take into account new threat vectors that come up and create a new list of the Top 25 vulnerabilities on a real time basis.  Much more detailed information about the list just presented can be seen here at this link:

https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html

My Thoughts On This

Now, I am far from being a software developer, though I have dabbled into it from time to time (in fact, soon, I will be teaching myself some of the basics of Python).  But I have written enough about the topic that I know what a serious security risk in a source code means.  So, based from that, here is what I think are the most dangerous:

Memory Buffers;

Cross Site Scripting;

Improper Input Validation;

Improper Authentication;

Unrestricted Upload of File with Dangerous Type;

Improper Privilege Management;

Improper Certificate Validation.

To bring this home, these kinds of vulnerabilities can very easily trigger Distributed Denial of Service (DDoS) attacks, SQL Injection Attacks, the interception of PII and financial information, Phishing Attacks (especially where malicious documents are attached), and the creation of spoofed websites.  I could go on even further, but in my opinion, these are the biggest risks.

When we hear about Cyberattacks, the news headlines are often about what is happening on the front end of the application, such as how many credit card numbers were stolen, how many people were impacted, etc.  Very little attention is paid to what happens in the back end, especially when it comes to the vulnerabilities and weaknesses that have been discovered.

I do hope that this issue comes more into the limelight as we now approach into 2020.  What does this mean for you?  Well, when you shop online, always have your guard up.  Be on the lookout for anything suspicious, and always keep an eye for fraudulent activity that may transpire by examining your credit card and banking information online.

You may not be able to avoid credit card theft or fraud as it happens, but you can for sure stop it in tracks before it gets too late.