"From our experience in assessing the security of websites, one of the primary reasons serious vulnerabilities are reintroduced is a lack of strict version control processes and regression testing," said Jeremiah Grossman, chief technology officer at WhiteHat Security, a Santa Clara, Calif.-based Web application security provider.
Version control (also called source control, revision control and source code management) ensures that code changes are clearly identified and associated by timestamp and developer. Version control gives developers the ability to review files previously committed to the code repository and if necessary, revert to earlier versions if a bug is introduced. This process can also work to ensure old bugs aren't reintroduced. Once code is considered stable and secure it can be tagged accordingly and all project efforts going forward work only from that code-stable declaration.
Software development version control is also critical to successful application regression testing. As defined by the Testing Standards Working Party, a volunteer group devoted to the development of new software testing standards, software regression testing is the act of retesting a previously tested program following modification to ensure that faults have not been introduced, reintroduced, or uncovered as a result of the changes made. Rix Groenboom's OWASP AppSec Europe 2006 presentation, Protecting Web services and Web applications against security threats,included these points about regression testing:
- Software development is an iterative process.
- An iterative development process fails without regression testing. The same applies to security.
- Fixing a security vulnerability should be coupled with a policy and an enforcement mechanism to prevent it from recurring.
- Regression testing practices result in a visible quality process that reinforces trust.
Had this vulnerability been more severe, perhaps leading to a data breach, the implications of reintroduced vulnerabilities could also resurface: brand and reputation damage, breach disclosure costs, etc.
A published report indicated that an Ameriprise spokesman downplayed the initial vulnerability report, saying it only affected one portion of the company's site and didn't put anyone at risk. However, the U.S. Department of Homeland Security found the Ameriprise XSS vulnerability redux significant enough to include it in its Feb. 3 Daily Open Source Infrastructure Report, a summary of open source published information on significant critical infrastructure issues.
The lesson here is clear: If you want to stay off DHS's list, demand version control and software regression testing from your development teams. While there are no guarantees of security, these are simple steps that can certainly improve security posture for financials, and all business sectors.
About the author:
Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance.
Russ speaks and writes frequently regarding infosec topics, including toolsmith, a monthly column for the ISSA Journal.