Police undergo thorough training to prepare for physical attacks, but when it comes to cyberattacks, the systems supporting some of the country’s largest law enforcement agencies have proven vulnerable. Reports are on the rise of hacktivists and other cybercriminals looking to expose sensitive information and sully the reputation of these organizations.
The onslaught of attacks has made security top of mind among chief technology officers (CTOs) and other IT pros who maintain the police systems. And Nick Selby, CEO of Southlake, Texas-based StreetCred Software Inc., has taken notice. StreetCred taps into multiple systems containing arrest warrants, driver’s license information and location data, and then organizes the data to help police track down fugitives. Selby, also a Texas police officer, said his biggest fear is that his appliance could be attacked, forcing jurisdictions to publicly disclose a data breach.
“It ends up with potentially highly sensitive information on fugitives,” Selby said. “We take really seriously our responsibility to be stewards of this information.”
Selby’s firm is among a growing trend in third-party vendors: Customer demands for information security are forcing system providers to invest in software security testing, scanning and pen testing. A recent study by Burlington, Mass.-based application security vendor Veracode found a small, but steadily rising number of third-party firms obtaining a code review. “The enterprise has to put policy in place to outline the criticality of defects that are required to be fixed and a certain time frame to get them fixed,” said Chris Wysopal, CTO of Veracode Inc.
Injecting security early in the development process improves efficiency but is a major culture change at most established enterprises, said Phil Cox, director of security and compliance at Santa Barbara, Calif.-based cloud management vendor RightScale. Cox, who was a consultant with SecurityExperts, used to give advice about developing effective security programs. He acknowledged the difficulty of implementing changes into the company culture.
“The hard lifting part is to walk into the organization and figure out how to inject additional software security within the organization’s DNA,” Cox said. “There are a lot of frameworks to help you do risk assessments and code reviews, but we’ve come to point where we’ve got to modify things to be RightScale-specific.”
Security must be viewed as a tool to build trust with customers, said Dave Aitel, CEO of Miami-based Immunity Inc. Only forward-thinking companies inject it early on into the development process, he said. A security breach as the result of a faulty product or service immediately damages that provider’s reputation, Aitel said.
“You should spend about as much on security as you do on marketing,” he said. “All the startups that have a 10-person marketing team really need to think about why they don’t have a 10-person security team.”
Selby said his company can show potential clients that the system will reduce costs, improve efficiencies and ultimately make it easier for police to track down individuals with an arrest warrant. But IT departments that maintain police agency systems often want assurances that the appliance is secure. Providing the pen testing report and proof of Web application testing makes it clear that the company is serious about security, Selby said.
“We say, ‘Here’s our architecture, here’s our reports’ and they immediately get it; the CTO understands,” Selby said. “We all equally arrived at the conclusion that there was no way that we could go into a place where we’ve seen agencies get breached and have to deal with a mess, without doing proper testing.”
The checkbox mentality with compliance is unfortunately often what happens with software security, said Jerry Hoff, vice president of static code analysis of Santa Clara, Calif.-based application testing firm WhiteHat Security. Because there are no standards for what constitutes a secure application, there are no legally binding definitions for code that is free from bugs, Hoff said.
Hoff said system providers that are serious about security get a complete architecture review to determine if encryption is properly used and other controls are properly configured. Continuous static code analysis should be done throughout the development lifecycle and manual human code review is essential.
“I used to get called about two weeks before an application went into production and I always had to be the bearer of bad news,” Hoff said. “Today people understand that software is insecure and are pounding on the door and asking what the company is doing to secure the data.”
For Nick Selby and his company, StreetCred, getting the software tested for security holes before engaging clients was a no-brainer. Selby, an information security expert and former analyst at the 451 Group, said he continues to follow the security industry closely. The alarming number of cyberattacks demonstrates that basic security blocking and tackling isn’t being done.
“Often it’s the smallest mistake that comes back to haunt you,” Selby said. “Basic errors wouldn’t be tolerated by law enforcement because it often means the difference between life and death.”