Intro: Breaching to the Choir
When a sensitive data breach at an important company like Equifax makes headline news,millions of consumers become immediately aware that they’re now victims. The story is always about stolen data and the dramaaround the company’s attempt to cover up the breach. But compromised data is a consequence of a security failure. What are the actual causes of such a severe security breach?
Oftentimes, sensitive data is compromised through insecure sourcecode. That’s the story within the story, thecompelling story rarely told. Such failures occur frequently, even within the biggest and most familiar companies likeUber. Security failures even occur inside companies specializing in security, like OneLogin, but we rarelyhear whythese failures happened.
Oftentimes, sensitive data is compromised through insecure source code. That’s the story within the story, the compelling story rarely told.
This is true in part because source code vulnerability is highlytechnical. As we willsee, this is one issue we cannotafford to avoid because it is “too technical.” But there is a more nefarious reason we don’t hear about the cause ofsecurity failures: if companies revealed that their sofware lacked important security features, then they would quickly lose customer confidence. For this reason, Yahoo and other companies have intentionally concealed security breaches for years.
We will find that the source of these security breaches is the source code itself. In this article, we will explore the security vulnerabilities of source code repositories such as Git and Apache Subversion. We will also discuss a variety of solutions including source code scanning. Let’s start with a look at some recent security failuresand uncover the common denominator.