Alejandro Reskala, Vice President of Global Technology, International TransUnion, explained the problems that result when developers think in a linear fashion.
Reskala launched into his keynote presentation at the 2016 Chief Information Security Officer Leadership Forum held in Chicago on June 22 by stating that security can’t happen as long as developers and delivery professionals continue to be “linear thinkers” in application development.
“The real world isn’t linear,” said Reskala, “so we need a nonlinear approach to application development. Developers believe that if security aspects are left to the InfoSec guys, we’ll have more secure applications, right? Not so. If everything is left to the InfoSec people, applications will be less secure.”
“Developers believe that if security aspects are left to the InfoSec guys, we’ll have more secure applications, right? Not so.”
One of the major problems with data protection begins with our own applications, said Reskala. “We’re doing something wrong, but what is it? If we’re using the proper tools and using skilled developers, where’s the gap? The gap is the linearity issue.”
Fixing the software development gap requires a mindset change, Reskala explained. “With the boom of object-oriented programming—and, to a greater extent, with aspect-oriented programming—we tend to trust that what each object or each aspect does is its only task and purpose. The problem is that in real life, this trust is misplaced. This mindset change needs to be applied to software development.”
Reskala talked about a case in which a financial institution was alerted by a vendor that he was able to log on to the bank’s system with a user name but no password. Chaos and panic ensued. The institution had to cease operations immediately. The bank replicated the problem in its development and testing environment, and found that the user name and password were both required. Ultimately it was discovered that delivery management, when promoting the application from testing to production, changed one setting to ‘unauthenticated.’ This meant that access could be gained without a password. “This problem could have been avoided if the developers had made some rudimentary and fundamental validations to assure the user and password weren’t empty,” observed Reskala. “This means, literally, one line of code.”
Reskala provided another example that he tagged “The Bank Job,” which alludes to a British film of the same name about the Baker Street robbery that happened in London in 1971. “In India, the public sector banks are way behind in technology innovations,” he explained. “At the end of 2015, the banks hired a local vendor to develop an app for online banking. A friend of mine downloaded the app on his iPhone 6 to test it. He used his Mac as a proxy server using BERP to capture the interactions between the app and the bank’s application. He did a number of actions using his Mac and eventually the back-end system yielded a session ID. This was the door for everything else. BERP allows the possibility to intercept the signal between the back end and the browser or application and inject code or anything you want. All of the validations were made on the front end, on the app, instead of checking on the back end,” said Reskala. “Developers shouldn’t trust what a particular function is supposed to do. They need to employ due diligence.”
“Developers shouldn’t trust what a particular function is supposed to do. They need to employ due diligence.”
Here are Reskala’s security recommendations from a developer’s perspective:
• Stop being a linear thinker!
• Bring security up front (to the earliest stages of SDLC). It pays off.
• Have the security team—not the testing team—create test cases to try to breach the application.
“We need to start collecting and analyzing information on every data breach so we can predict what’s going to happen. That’s the future of security,” said Reskala.
ABOUT ALEJANDRO RESKALA:
Mr. Reskala is a vice president at TransUnion Global Technology for the International business, helping to estimate mission-critical projects for development and execution. Mr. Reskala is responsible for the development and support of the international Credit Report System and other products across different countries. He also directs and leads a team of experts on search-and-match technology.
Mr. Reskala has extensive experience in supporting TransUnion’s International Bureau operations, including IT due diligence work for M&A.
Prior to joining TransUnion in 2006, Mr. Reskala worked as a CIO for the Credit Bureau in Mexico City and as a DevTest Director at Santander Bank (formerly Serfin Bank). He has performed roles of Enterprise Architect and D&R Director for companies in Canada and the U.S.
Mr. Reskala holds a B.S. degree in Electronics Systems Engineering from Monterrey Institute of Technology and Higher Education, with graduate work in Computer Science.