Human Errors & Security Issues

I estimate at least 90% of the cyber security issues in the wild are?caused by?human error. You may wonder how I arrive at this estimate. No I'm not even talking about social engineering, phishing and other targetted attacks on humans. Although those equate to a good number of issues, what I'm refereeing to is what every single device connected to a network has in common?

The answer lies in the code, which allows them to operate and perform business functions. From firmware to software a human has coded every instruction set a device utilizes and processes. These instructions?allow a device to perform operations, and if coded incorrectly, opens all devices running that code up to risk of attack.

Whether your developers write their code from scratch or leverage various packages or API's each addition to the code base introduces a potential vector of attack. I hypothesize that most of these vectors are introduced unintentionally, but the effects can be equally catastrophic.

To the developers and run teams reading this: Does your organization review all the firmware and software you use? How about the code you develop? With many companies using outsourced labor like offshore or near shore contractors to accomplish many aspects, this issue becomes more complicated.

So is the complete chain of custody understood and do you know every person who has changed something in the code? How about the path it takes before it is installed onto your production devices? Do you perform peer review on their code? Do you perform SCA or dynamic or static code review in your DevSecOps processes?

How about the firmware, did you flash known good firmware with verified MD5 sum checks before putting them into production? It's in the best interest of an organization to put security controls around not only the chain of custody but what, when and how the firmware and software is created, maintained and upgraded.

Rogue code can be introduced anywhere along the chain of custody that both?code and devices take and corrupt firmware could be installed rendering devices useless.?One example of targeting rogue code is from my brother a CW4 Apache gunship pilot. In the Gulf War he was able to destroy a good number of targets just by homing in on injected code. The devices were printers and they had special "ET phone home" like code for tracking.

If your organization develops software, its essential to use peer manual and machine-based?code review processes.?It is also critical to use?penetration testing on your internal and external assets including applications.?These steps are?the only ways to find, learn from, and minimize the human errors that, when accidentally or intentionally introduced, can equate to major flaws in your products which possibly expose you and/or your customers, and could lead to your organization?being the next big story in the news.

No organization wants this kind of attention, notoriety or explaining it to their board of directors! Think about the operational and financial loss that could come from having your brand and company reputation tarnished.?

What are your thoughts on the matter?