In the digital age, the biggest concern on everyone’s mind is data security. Data breaches and loss of sensitive data frequently appears in the news headlines denoting how much financial loss has been caused as a result. No industry from government, finance, Internet and more is safe. Sensitive data loss can see misuse of information and stolen funds which inevitably lead to reputational damage and high financial penalties to lawsuits. The deployment of data protection technology is crucial. At present, Data Leakage Prevention (DLP) tools on the market have grown from the traditional control and behaviour monitoring solutions to content-aware solutions. However, these products are still mainly for passive protection, with insufficient pro-active techniques. Is there an effective way to make up for this shortcoming?
Sensitive data loss refers to information that is accessed without authorization either by attacks or accidental leakage. Once accessed, it may cause severe consequences to organisations or individuals. For organisations, the data can include information that is confidential to the enterprise, for example, financial records, personnel data, network structure, IP address list and more. Examples of and individual’s private data can include names, ID numbers, addresses, phone numbers, bank account numbers, email addresses, passwords and more.
The motive behind malicious attacks is invariably financial gain through fund transfers via credit cards or bank accounts and ransom demands through phishing attacks. According to the “Personal Information Leakage” survey by the China Consumers Association, over 80% of the respondents have encountered sensitive data loss. The most worrying issue is the use of fraudulent activities, accounting for 70.5%. Followed by sales or exchange to third parties accounted for about 52.4%. Hackers can sell sensitive data to others, and buyers can use other people’s information or data for profit or other illegal purposes.
Governmental organisations around the world have actively introduced laws and policies to address the threat and misuse of sensitive data. China passed its first cybersecurity law in 2017 and more recently, in June 2020 the government released the draft data security law for public comment. In Europe, the GDPR extends the scope of the EU data protection law to all foreign companies that process data from EU residents with severe penalties for those organisations that fail to meet the standards.
Cybersecurity Ventures predict that in the five years from 2017 to 2021, global spending on cybersecurity products and services will exceed $1 trillion. This is clearly due to the growth of business-critical systems and the corresponding dramatic increase in cybercrime. How to effectively protect sensitive data has become a top priority, however, this spending is often made in the wrong area of IT security.
As mentioned, DLP tools have grown in prominence. Passive monitoring and reactive defences still have their shortcomings. It is the hidden vulnerabilities inside applications that see the greatest level of exploitation by hackers. The 2019 Internet Network Security Situation Review 2019, released by the National Computer Network Emergency Technology Coordination Center clearly states that security vulnerabilities in applications and web applications account for nearly 80% of cybersecurity concerns.
Figure 1: Security Vulnerabilities by Type CNVD 2019
The techniques for securing sensitive data should start from the source code of applications and not rely solely on perimeter defence and network security solutions. Developers can be unaware of security risks in the code that they write. This problem can be met through tools designed for in-depth static code analysis of the software code. This is known as Static Application Security Testing (SAST). The reasons are:
- SAST can proactively identify potential security risks in the early stages of software development and integration.
- DLP tools cannot always identify threats for accessing data such as code injection to a website which can be more readily identified when using SAST.
- IT security professionals working within companies are often experts at solutions like DLP but not at identifying software code errors.
The flagship product Xcalscan from Xcalibyte can proactively discover defects that may cause data leakage. Sensitive data fields are actively identified through program development by checking that operators and system API interfaces called for program execution are properly secured. This can include system printing, file storage, IPC pipe, IPC socket, etc. This works to ensure that sensitive data is not actively or passively leaked thereby reducing the company’s risk of data leakage. As shown in the figure below, the scanned results (Figure 2) and the sensitive data leakage path (Figure 3), we can see the sensitive data leakage risk points and leakage paths in a Java project source code example.
Figure 2: Scan Results
Figure 3: Sensitive Data Leakage Path
Static analysis can perform in-depth inspection and scanning of source code, guiding the early intervention of secure coding at various stages of software development, continuous integration and continuous delivery (CI/CD). At Xcalibyte, we are glad to see that companies from different fields regard static code scanning as the first step in corporate network security and view code analysis solutions as an essential strategic investment. In today’s world, data security is not just the responsibility of cybersecurity or data privacy officers it is also the responsibility of developers. The most security-aware companies recognise that security budgets must be allocated alongside all technology within an organisation and not just at the network level.
Main image by rawpixel.com / Freepik