Black Hat is Black Gold for Medidata
On a weekly basis, some customer will ask me about our security measures. They want to know if we are conducting regular vulnerability scans. While the simple answer is absolutely yes, the bigger picture is often overlooked. The real issue is that standard security scans focus on the Internet as an attack vector but that's not the only way in. A determined attacker can break in by gaining access through the application itself. With the right tools, a hacker can capture the login credentials of a user and gain “front-door” access to an application. When this happens the only barrier between a single compromised account and exploiting everyone using the system is the inherent security of the application itself. To really test your defenses, you need to attempt penetration via all methods, including a manual attack of the code.
Every day I have to ask myself the question, “Could our systems stand up to these sophisticated attacks?” The best way to find out is to attack ourselves first and then hire somebody else to do so. Attacking ourselves first is a multifaceted exercise. The first step we take is training our developers to think about security and how their code might be hacked while it’s being developed. Our goal is to develop a security top-of-mind environment so that our engineers produce code that is not only functionally outstanding, but also secure.
The second step comes in the form of automated tools. We use two tools: Brakeman and Burp Suite. Brakeman is an open-source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes our Rails application code to find security issues at each stage of development. When it identifies an issue, the engineers repair it before it moves on to the next stage. After a product is finished, we conduct a second round of automated testing using a product called Burp Suite. Burp Suite is an integrated platform for security testing of web applications. Its various tools support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Again, after issues are discovered the engineering teams remediate the vulnerabilities and the software is ready for the next step.
The third step involves the use of our own developers in a competition style event called “Black Hat Friday.” On designated Fridays, we encourage our developers to hack into their associates’ software. We offer monetary rewards as well as bragging rights, and even a Black Fedora for the person discovering the most vulnerabilities. These internal attacks have several advantages. For one, we can conduct Black Hat exercises frequently, which is useful to address compliance requirements and to test our susceptibility to a new vulnerablity or attack method. In addition, our internal developers have more detailed knowledge of the code base than an outside consultant. This knowledge can be helpful because the developers can translate the results of Black Hat into corrective actions that will help reduce the company's risk. Finally, the Black Hat exercise becomes a training opportunity itself, which circles us back to the beginning.
The final step is an external, third-party evaluation and penetration test to verify that we really have addressed any security shortfalls within the software we produce. Application penetration tests play an important role in Medidata's overall security strategy and our Black Hat Fridays are really the “Gold Standard.” By learning to view our Software as a Service (SaaS) as attackers view it—and by sharing penetration results and security awareness across all the developers—we get a unique snapshot of the risks our clients face. It's one thing to have security policies and tools in place. When it comes to an actual intrusion attempt, a Black Hat penetration exercise can tell you whether your security practices make the grade.
More about Glenn