Cloud security: Third party code

Using third party code in cloud computing can be a security risk for users since the code does not originate from the developer, allowing hackers an easy avenue to breaking into networks.


ISS SourceWith cloud computing becoming more of an entity in the industry, there are dangers involved with using third-party code, a new report said.

Part of the explanation comes back in December when a hacker breached Yahoo! with an SQL injection attack that took advantage of a vulnerability in a third-party application that was provided on the Yahoo! Web site, according to a report from Imperva.

This attack highlights the risk that many Web applications face: Web applications may contain some sort of third-party code, such as APIs, not created by the developers.

“The weak link in the Yahoo! attack was not programmed by Yahoo! developers, nor was it even hosted on the Yahoo! Servers, and yet the company found itself breached as a result of third-party code,” said Amichai Shulman, CTO, Imperva. “The challenge presented by the Yahoo! breach is that Web-facing businesses should take responsibility to secure third-party code and cloud-based applications.”

Technically, security teams should:

  • Protect third-party Web applications against SQL injection and other Web attacks: Incorporate security into the software development life cycle, perform penetration tests and vulnerability assessments on the application, and deploy the application behind a Web Application Firewall (WAF).
  • Harden your system: When the application goes from development to production, the system configuration needs to harden to disable any irrelevant parts that may help the attacker. In the hardening process detailed error messages should end up disabled, there should be restrictions on excessive file and directory permissions, and you should delete source code leftovers.

From a business standpoint, executives should always assume third-party code – coming from partners, vendors, mergers and acquisitions – contains serious vulnerabilities.

Some recommendations:

  • Put in place legal requirements in a contract for what you will and will not accept from a security perspective.
  • Incorporate security due diligence for any merger or acquisition activity.
  • Require coding standards and security requirements in every specification between you and the third party.
  • Demand metric reports for security of the vendor’s code that are repeatable and verifiable.
  • Require that all security requirements are met prior to the first time the code executes in your environment.
  • Require a comprehensive review of possible vulnerabilities resulting from new external services operating in conjunction with your current services.
  • Require a report specifying security issues and measures taken to address them for every task and deliverable from the vendor.

Click here to download the complete report.

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Sister act: Building on their father's legacy, a new generation moves Bales Metal Surface Solutions forward; Meet the 2015 Engineering Leaders Under 40
2015 Mid-Year Report: Manufacturing's newest tool: In a digital age, digits will play a key role in the plant of the future; Ethernet certification; Mitigate harmonics; World class maintenance
2015 Lubrication Guide: Green and gold in lubrication: Environmentally friendly fluids and sealing systems offer a new perspective
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security
Cyber security attack: The threat is real; Hacking O&G control systems: Understanding the cyber risk; The active cyber defense cycle
Designing positive-energy buildings; Ensuring power quality; Complying with NFPA 110; Minimizing arc flash hazards
Building high availability into industrial computers; Of key metrics and myth busting; The truth about five common VFD myths
New industrial buildings: Greener, cleaner, leaner; New building designs for industry; Take a new look at absorption cooling; Offshored jobs start to come back

Annual Salary Survey

After almost a decade of uncertainty, the confidence of plant floor managers is soaring. Even with a number of challenges and while implementing new technologies, there is a renewed sense of optimism among plant managers about their business and their future.

The respondents to the 2014 Plant Engineering Salary Survey come from throughout the U.S. and serve a variety of industries, but they are uniform in their optimism about manufacturing. This year’s survey found 79% consider manufacturing a secure career. That’s up from 75% in 2013 and significantly higher than the 63% figure when Plant Engineering first started asking that question a decade ago.

Read more: 2014 Salary Survey: Confidence rises amid the challenges

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.