Since establishing a technology risk and security team more than two years ago, the National Australia Bank (NAB) has delivered a scathing report on the insecurity of enterprise software, including that provided by information security vendors themselves.
During a presentation at this year's Gartner IT Security Summit in Sydney, the bank's general manager of technology risk and security, Gary Blair, said over the past two years his team has reported 48 defects to software vendors, and since only high and medium defects are reported "they are not trivial".
"I would like to have a basis for not talking to you today, but two defect reports a month is too large," Blair said. "We believe the research focuses elsewhere. Most security research for commercial software is done in the consumer space. We don't believe there is enough focus on enterprise software. It may have been sufficient in the past but not any more."
NAB's technology risk and security team discovered most vulnerabilities related to privilege escalation, and authentication bypass mechanisms and SQL injection attacks were also prominent.
Two security testing capabilities were created within the team to focus separately on projects and operations. The team itself undergoes an annual probity check to ensure "the right people" are working in the team.
"We identify defects in own code and in the configuration of commercial software, but we found more than that," Blair said, adding the serious attacks are moving up the solution stack making network layer defences still necessary, but not sufficient.
Blair said data is becoming the primary target and serious attacks are motivated by financial gain, and international crime gangs and rogue nation states have proven well enough financed to recruit the skills to perform attacks.
"I'm impressed by quality of exploit code," he said. "We are seeing growth in ability for people to deploy malicious code and that code is well written."
Back in the "green screen" days banks had a person sitting at a terminal with a secure SNA connection to the mainframe and would interact with a customer over the phone. As technology adoption broadened, banks provided customers with direct access to systems via IP networks.
"We are opening up data stores to people who previously didn't have access," Blair said. "The business models are the right ones, and there is no going back; we are putting data into position where we need to consider security. Software as a service, SOA, and Web 2.0 also present more risk to data."
The team's focus is on testing at the time of product evaluation prior to purchase or, having gone through that process, while going into production when "defects in vendor code should have been sorted out".