Systems that handle payment information, particularly e-commerce systems, are regulated by PCI DSS. Changes to the PCI compliance requirements have reclassified the use of outdated and insecure versions of TLS (and its predecessor, SSL) as non-compliant. This has some significant impact across the software industry as the changes went into enforcement today, June 30, 2018. The key takeaways for us as web application developers are that we must ensure that our deployed systems are using modern and secure TLS configurations, and that we should now do so at the expense of supporting legacy web browsers that are non-compliant, namely old versions of Internet Explorer and Windows.
Starting out in a new job can bring about feelings of excitement and eagerness. Those emotions can also be accompanied with doubts about being useful, anxiety, and imposter-syndrome. Having experienced everything listed above, I’ve learned some strategies to help overcome the negatives and be proactive.
Working with the Rietta team has been an amazing experience with comradery and mentorship. This article briefly explores my experiences at Rietta to help equip new developers with a plan to synergize and grow with a new team.
Throughout the public debate over Georgia SB 315, a bad analogy has been repeated by others that a public business or institution’s website server is like an online home. And, because nobody lets strangers just walk into their own home, Georgia should set the expectation that no one, criminal or ethical, should be allowed to come into an organization’s digital “home” without permission. But this analogy does not match reality!
Friday, April 13, 2018
Governor Nathan Deal
Office of the Governor
206 Washington Street
111 State Capitol
Atlanta, Georgia 30334
Dear Governor Deal:
I am writing you today on behalf of my Georgia-based security firm, asking that you veto SB 315. I am a long term Georgia resident, raised in the Atlanta area, and earned a B.S. in Computer Science and an M.S. in Information Security at Georgia Tech. My wife Danielle is a Mercer University alumna, and we are both conservative Christians who voted for you. My interests in computer security started early after I founded AtlantaWebHost.com eighteen years ago and started to see first hand how websites and servers were under continuous attack by malicious hackers. This first hand experience was the catalyst for pursuing a career dedicated to protecting websites and web applications from attackers.
An independent security researcher just uncovered Panera Bread’s negligent exposure of millions of customer records. He notified Panera in a responsible manner and even after 8 months had not fixed the flaw. The underlying problem was specifically serving private data on a public endpoint without strict authentication and access control. This is so basic that beginner API developers should know to avoid it. Moreover, it’s among the OWASP Top 10 (owasp.org), well known ways that databases become compromised through insecure web applications.
The Georgia House of Representatives voted 107 to 63 to approve GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) on Tuesday, March 27, 2018, on the Senate voted 42 to 7 to accept the House changes in the last hours of the session on Thursday, March 29, 2018. This bill has been specifically crafted to make critical security threat research a crime now heads to Governor Deal’s desk for his signature or veto.
GA SB 315 protects the 94% of the Forbes 2000 public companies that have no way to report a security hole at the expense of the public. They do not need this protection. We need a way to hold them accountable so that they fix their vulnerabilities.
This chilling fact was part of recent US Senate testimony by Katie Moussouris, the security professional responsible for launching Microsoft’s and the US Department of Defense’s first bug bounty programs.
That means only 120 of these companies have a formal program to receive information about and actively fix security flaws that impact the public. The other 1880 will just as soon press criminal charges or civilly sue anyone who dares attempt to bring a security hole to their attention. Many of these companies would rather put their heads in the sand and pretend that they have no issues than to actually fix fundamental security problems with their IT systems. This is why we hear so much about cybersecurity insurance and companies and governments paying ransom to unlock their data rather than actually deploying comprehensive security controls in the first place.
Please contact Governor Nathan Deal and ask that he VETO SB 315! Tell him that our Internet security is too important to jeopardize with an overly broad bill that can be used to put innocent Georgians in jail and destroy the careers of law abiding citizens while doing nothing to hold the companies who put our data at risk accountable.
GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) just passed the House Judiciary Non-Civil Committee and will be voted on this week. While significantly improved through the committee process, it still creates a dangerously broad definition of Criminal Unauthorized Computer Access that is so sweeping, people will need permission before visiting any website.
This bill was drafted because Georgia law enforcement and the U.S. FBI could not find any law broken by a professional security researcher. This researcher tried to alert Georgia election officials of voter data inappropriately published publicly on the Internet by Kennesaw State University, a contractor for the Georgia Secretary of State’s Office. What he discovered through ordinary Google searching was that voters’ names, addresses, and other private information was indexed by Google and accessible by anyone. After months, he and another researcher discovered that the data was still available on the public Internet and brought it to the attention of the media. Only under the daylight of public attention was the data removed from the Internet in an embarrassing scandal.
The Equifax website borked again, this time to redirect to fake Flash update (arstechnica.com). This is the latest episode in the sad saga of insecurity at the embattled Atlanta-based credit reporting giant. Atlanta is known for a healthy information security ecosystem and the Georgia Institute of Technology and Kennesaw State University both have cybersecurity programs at the undergraduate and graduate level. If Equifax cared to hire security minded people to work in key areas they could.
Patch management is hard when the software being patched is supported by a major corporation with a long support window. It’s even harder when integrating numerous open source projects of various maturity. One lesson from the Equifax data breach is that failure to update your deployed application for months after the upstream project is updated can lead to dire consequences.