Cigital Sniffs Out Malcode for SMB Application Security

By Pedro Hernandez | Posted March 27, 2015

Small businesses and fledgling development firms often inherently trust the software they run, whether it's from a third party or developed in-house. The problem, according to Stuart Dross, vice president of worldwide sales for Cigital, a software security testing and consulting firm, is that code can sometimes hide vulnerabilities, which are sometimes placed in the code intentionally.

The application layer is often the last part of an IT environment that small businesses tackle from a security perspective, and with good reason, said Dross. Security experts are in short supply in small and midsized businesses (SMB). Finding ones that know how to spot suspicious code and application behavior, or who know how to code with data security in mind, are rarer still.

"Very few individuals have been given proper training on how to build secure software," says Dross. And don't expect security software vendors to come to the rescue.

Crouching Code, Hidden Disaster

Antivirus and antimalware solutions are great tools to keep a PC safe from spyware, keyboard loggers and other dodgy downloads; most would argue that they're required in this era of relentless hacks and data breaches.

But business applications that contain malcode generally don't raise any red flags because they work as promised, at far as virus scanners are concerned. It's a security blind spot that can place a company, its users and its business relationships at risk. 

small business data security

What's malcode? In this recent blog post from Brenton Kohler, a senior consultant for Cigital, he described it as "any code added to, changed within, or removed from an application that is designed to subvert the application's intended function." Typical malcode can exhibit rootkit-like behavior and take the guise of Trojans, backdoors or time bombs, code that executes after a given timeframe often to disastrous results, he added.

Malcode appears as regular code, biding its time until it's triggered, sometimes lying dormant for years and circumventing security testing techniques. After all, why suspect a business application that isn't acting suspicious?

There's good reason to be wary. "When executed, malcode can pilfer data, download and install software, siphon money from accounts, log keystrokes, and permit outsiders to control computers remotely, among many other misdeeds," continued Kohler.

Worse, said Kohler, the culprits may be "development partners (offshore or onshore) or even disgruntled current or former employees that have access to code, administration or control management," poisoning the software supply chain. They also may use embedded malcode to hide illicit activity, which can draw the attention of law-and-order types. Malcode can also run afoul of regulatory requirements like HIPAA or PCI-DSS, derailing a company's compliance efforts.

Naturally, the typical small business IT professional can't be expected to ferret out these threats, let alone owners and rank-and-file employees. It's time to bring in the experts.

Small Business Security Mentors

Whether developing or deploying custom applications, it's worth getting a security assessment and engaging with expert mentors, said Dross.

Cigital helps businesses of all sizes make certain that the software they rely upon isn't going to betray them. Among Cigital's services is Security Initiative in a Box (SSIB). "We go on-site for a month and bring them the policy, procedure, governance and testing" components to help companies lock down their applications.

SSIB can also include awareness and technical training, and on the fifth week, customers can show "demonstrable proof of their program," assuaging the concerns of stakeholders and security-conscious clients, Dross said. Cigital also offers a wide range of outsourced and managed services, including assessment, code review and remediation, tailored to a company's compliance and privacy requirements.

"We spend an awful lot of time helping companies understand the risk at the application level," he said.

Pedro Hernandez is a contributing editor at Small Business Computing. Follow him on Twitter @ecoINSITE.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date