Automation is the best way to prevent cyber attacks
October 2019 by Varsha Saraogi
In recent years, airports and airlines have come under constant attack from cybercriminals, putting millions of people’s personal data at risk and even managing to close down airports. GlobalData Airport Technology website investigates what can be done to prevent these cyber attacks that have caused operational problems and cost billions of dollars. GlobalData Airport Technology Journalist Varsha Saraogi asked Cybersecurity firm Veracode’s EMEA CTO Paul Farrington about the challenges facing the aviation industry and why he believes the solution lies in automation.
Varsha Saraogi (VS): “Why are airports and airline companies becoming more vulnerable to cyber attack?”
Paul Farrington (PF): “The consequence of a cyberattack affects an airline and has a knock-on effect on passengers. When there is a cybersecurity incident it’s going to get media attention and rise to the top in the news agenda. In our State of Software Security Report, there is an excerpt which includes the aviation industry. We found that in the aviation industry, unfortunately, most software applications failed common security standards. There is a security standard called the open web application security project and it provides a checklist of vulnerabilities. Only one in four applications that were tested against the standard passed the first inspection. However, airports did a good job in closing out the flaws or potential vulnerabilities that are found in software within the first hundred days and, they actually beat the global averages across many different industries. Unfortunately, what we do see with industries relating to infrastructure is that after a period of time things remained unfixed. Complacency does set in and that’s where greater attention should actually be paid. They need to ensure that across the software development lifecycle, developers are not just fixing the complex and sophisticated risks, but actually addressing things like cross-site scripting, and preventing issues which could allow an attacker to penetrate a system.”
VS: “How can technology help airports combat cyberattacks?”
PF: “There is too much emphasis on using clever human beings to find issues that automation would do ten times faster. We need to make sure we’re getting that balance correct. Trying to tackle the security problem with human beings won’t scale because there are only so many security experts in the world. In fact today, there are more than two million vacancies across the world for cybersecurity experts, and manual penetration testers are a part of that deficit of people who are qualified to perform analysis.
VS: “Do you think human decision making can be balanced with automation?”
PF: “Market pressures will move more towards automation whether you’re an airport or an airline company. There needs to be sufficient emphasis from the government and from the regulators to address this issue. In practical terms, with a combination automation and the right tools, we need to ensure that we have security experts in DevOps teams in companies for embedding security across the organisation. As we call them – DevSecOps, which is an evolution of DevOps, and they ensure that security is part of the entire conversation. In terms of automation, when software gets committed back to the repository, what we can do is automate the scanning of that software. So without a developer needing to press a button, the software is scanned for vulnerabilities and those results are sent to the development team. In case of a functional defect, a ticket gets created and added to the system’s backlog which is a list of security issues that need to be addressed. By doing so, it becomes just part of the normal hygiene of how software gets created and maintained. Having that as part of a company of creating code using automation and having a blinking light on the developer’s desktop when there’s a security issue means that without any disincentives to the developer, the software engineers address issues as they crop up as part of everyday working and this ensures that the software becomes more secure.”
VS: “How does Veracode’s Greenlight software work?”
PF: “Analysts Chris Wysopal and Christien Rioux created a security tool, which – when they co-founded Veracode – became known as static analysis. Think of this as an MRI scanner, where you’re looking deep into the tissue that makes up the software for the potential weaknesses that an attacker could exploit. However, in the early days, static analysis was looking at the entire application which can take time to address the different weaknesses. In the culture now developers are demanding faster analysis techniques because they’re under pressure to ensure that they’re producing software at a higher speed. Greenlight actually uses the static analysis techniques, but rather than just looking at the entire application, it is able to analyse the things that have just been changed in a file. Greenlight is able to give developers feedback on the code they’ve created within seconds. The reason why we call it Greenlight actually is that when they write a secure code, they get a green light, as an affirmation that what they’ve just done is correct. Where security vulnerabilities have been spotted in the code, the software will actually highlight it and say ‘this is a potential security vulnerability,’ or ‘a flaw has been found and this needs to be addressed in the following ways.’ Developers can then make the changes in seconds. If you compare that to receiving results an hour or a week later, the focus is lost and the incentive for the software engineer to actually address the issues are less.”
VS: “How is technology like this likely to progress in the future?”
PF: “If you can leverage automation it gives you greater time to think about things like threat modelling. Through the process of threat modelling, one can pre-empt the kind of potential attack even before code is being written. The way software gets created today is quite different from 20 years ago as the majority of it is comprised of open source components – code written outside your organisation. The problem with using open source software is that – just like your own – there is a tendency for it to be insecure. If it hasn’t been tested there is a significant chance that vulnerabilities will exist in that software, so ensuring that we’re using open source components that are secure is really important. Critically, around 80 to 90% of companies use open-source software – many of which have been unaware of how that software is being created. Going forward, the emphasis needs to be placed on how software is being brought in, because that’s of crucial importance to aviation.”