Third-party code in cloud computing poses security risks: report

A new report highlights the dangers of third-party code in cloud computing and recommends that businesses should put in place legal requirements in a contract for what they will and will not accept from a security perspective.

In December 2012, a hacker breached Yahoo! with an SQL injection attack that took advantage of a vulnerability in a third-party application that was provided on the Yahoo! website. This attack highlights the risk that many Web applications face: Web applications may contain some sort of third-party code, such as APIs, that was not created by the developers.

“The weak link in the Yahoo! attack was not programmed by Yahoo! developers, nor was it even hosted on the Yahoo! Servers, and yet the company found itself breached as a result of third-party code,” said Amichai Shulman, CTO, Imperva. “The challenge presented by the Yahoo! breach is that Web-facing businesses should take responsibility to secure third-party code and cloud-based applications.”

Imperva, Inc.’s January Hacker Intelligence Initiative Report, “Lessons Learned from the Yahoo! Hack,” urges business to incorporate security due diligence for any merger or acquisition activity.

Technically, Imperva recommends enterprises conduct a Web application vulnerability security assessment. A manual review of Web application security or proper use of automated Web application security vulnerability assessment can identify potential vulnerabilities that should be addressed in the software development lifecycle (SDLC).

The report also recommends the deployment of a Web Application Firewall (WAF). A WAF serves as a security policy enforcement point that prevents vulnerable Web applications from being exploited.