The most tempting target for a veteran cracker is a developer’s network because beating top programmers puts a feather in their hat. While a server that contains unencrypted personal financial records is a favorite mark for crooks out to make money, some of the most skilled crackers still see breaking other people’s work as a fun game. For them, penetrating a development platform is the best way to find confidential code, plant a back door, or prove their chops by showing what they can do.
As far back as the 1983 movie WarGames, kids knew that the developer’s server is the place to look for the latest programs. And, since developers often glue security onto applications at the last minute, it's also the best place to find unsecured versions of new or already-deployed applications. This makes the developer’s network a favorite for commercial espionage.
Developer networks are often the least secure in the company because these networks must be open enough to share code easily, have actual code rather than just complied programs, and frequently contain older versions of protocols and software. It's essential to have a firewall between the network and the rest of the company, as well as between the developer network and the Internet (unless under the rare circumstances in which the workgroup is all located in one office and uses a dedicated network without any outside access).
Developer networks also tend to get the least security maintenance. Programmers are so busy, and management may think that since the programmers are experts their network doesn’t need special attention. Developers are likely doing the most time-sensitive, mission-critical jobs in the company, and no one wants to be blamed for shutting down a network by applying a patch that doesn’t work right or by kicking all the users off for routine maintenance.
If security software was perfect, you could lock down the developer network with a solid firewall and good antivirus software. After all, programmers are far less likely to browse the Web or open e-mail attachments from strangers than most office workers, and those two occurrences are the prime causes of security problems.
Vulnerabilities in firewalls and antivirus software products
Like in browsers and operating systems, there are also vulnerabilities in firewalls, antivirus software, and other security software. Major security holes were recently discovered in the following popular firewalls. If your developer network is secured by any of these products, you need to address the threat immediately.
- A number of versions of Check Point Next Generation software have format string vulnerabilities. This could allow a remote attacker to gain administrative access to vulnerable systems. Even worse, some versions containing the flaw won’t be patched and nearly 30 percent of users have those early versions installed.
- Zone Labs reports that versions of ZoneAlarm, ZoneAlarm Pro, ZoneAlarm Plus, and the Zone Labs Integrity Client contain a buffer overrun in SMTP. According to Zone Labs, “In order to exploit the vulnerability without user assistance, the target system must be operating as an SMTP server. Zone Labs does not recommend using our client security products to protect servers.”
- The SonicWALL Firewall and VPN appliance also has DoS and disclosure vulnerabilities that have been discovered in the past few weeks.
Several popular antivirus vendors have recently reported holes in their own security software.
- Symantec/Norton had a problem with its automated LiveUpdate system that blocked access to Word and Excel on some users’ systems.
- Symantec’s Firewall/VPN Appliance 100, 200, and 200R exposed passwords in plain text.
- Some directory names (including those starting with “!”) can be created by a virus and Symantec’s AntiVirus software can’t scan it.
- Kaspersky Labs has some DoS vulnerabilities in various versions.
- German security firm AERAsec has reported serious failure to handle exceptional condition flaws in: Kaspersky Labs’ AntiVirus for Linux 220.127.116.11, Trend Micro’s InterScan VirusWall products for Linux and UNIX, as well as Sendmail and McAfee Virus Scan for Linux v4.16.0.
Go to the SecurityFocus' BugTraq archive and look up your vendor in the vulnerability database, where you'll likely find something that may surprise and perhaps frighten you.
The lesson to learn
Even the firewall and antivirus software you depend on to protect your network is vulnerable to programming errors and must be diligently maintained. This doesn't simply mean updating antivirus signature files and tweaking firewall settings, but also tracking and repairing newly discovered vulnerabilities.
If the network you use to create, store, and modify code isn’t secure, then no amount of encryption or other built-in security measures can guarantee that the applications you deploy are totally secure. Without complete confidence in your network, you simply can’t know if a cracker has planted back doors or perused your code and discovered flaws that are easy to spot in code but perhaps would never be found by brute force attacks.
You simply cannot rely on a lockdown-and-forget-it policy when it comes to securing your network. Though developer networks seldom get the attention they require, they're especially vulnerable and must receive special attention to keep them secure.