Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Network Based Protection Insufficient to Thwart Stuxnet

Veracode : 01 October, 2010  (Technical Article)
Veracode comments on the severity of Advanced Persistent Threats like the Stuxnet worm and advises an alternative approach to critical infrastructure security involving the use of code verification techniques to ensure back doors are tightly closed
The Stuxnet worm continues to make headlines, most recently with reports that computers at an Iranian nuclear power plant have been infected, potentially giving hackers the ability to access computer-control systems and compromise plant operations. Security researchers at Veracode say that the Iranian power plant incident is further proof for government agencies in particular that cyber security threats have moved beyond data breaches to impacting the safety of entire nations. This statement follows earlier warnings from the company about vulnerabilities created by third-party software that were associated with the earlier Siemens Stuxnet attack.

Veracode and others in the security community view Stuxnet as particularly worrisome due to its sophistication, ability to steal data and target computer-control systems, and, in many ways, avoid detection. According to Veracode, Stuxnet is the most recent example of an advanced persistent threat (APT), a category of attack primarily for the use of espionage - either at the corporate or government level - that is particularly coordinated and clandestine. There has been a documented rise in APTs, a trend that presents a significant risk to software infrastructure that sits behind porous firewalls.

"For far too long cyber security efforts have focused on network-based approaches to thwarting advanced persistent threats," said Matt Moynahan, CEO, Veracode. "It's critical for governments and corporations to quickly connect the dots between cyber security and the need for software assurance. Cyber security efforts must include a focus on securing our nation's software infrastructure given that is where the vast majority of exploitable vulnerabilities lie. The recent Iranian power plant episode is a clear example of the ease of exploiting insecure software."

Findings from Veracode's "State of Software Security Report: Volume 2" reinforce the fact that vulnerable third-party software creates significant attack opportunities for hackers interested in sabotage. In fact, based on security testing results, third-party suppliers failed to achieve acceptable security standards 81 percent of the time. Common risks such as cross-site scripting, SQL injections and potential security backdoors weaken the software supply chain and put organizations, or in this case, entire nations, at risk. Given the amount of third-party code incorporated into applications (sometimes accounting for up to 70 percent), testing and verifying the software system in its fully-integrated final form should be a requirement.

For additional perspectives on Stuxnet, read the related blog post by Veracode CTO Chris Wysopal, "More Vulnerabilities Discovered in Siemens Software." Additionally, the company's State of Software Security: Volume 2 can be downloaded by visiting the Veracode web site.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo