The massive security breach experienced by Equifax shook up a lot of people, and rightly so. Identity theft by cyber thieves has become a profitable source of income.
Digital Journal had an opportunity to talk with Lev Lesokhin, CAST’s EVP of strategy and analytics, thought leadership and product marketing worldwide. Founded 25 years ago, CAST is a global leader in the use of system-level analysis, providing companies with relevant software intelligence.
DJ: The CAST website says it goes beyond looking at the basic components of a system, examining the actual architectural and structural components, searching for flaws. CAST calls this System-Level Analysis. How is this different from other security checks?
Lev Lesokhin: “There are two main ways CAST does this. First, we take a different approach to security by looking at software quality. CAST analyzes software based on five “health factors” that impact application security, including efficiency, robustness, maintainability, transferability, and changeability. This is a wholly different approach from traditional security tools that only look at security-focused weaknesses (i.e. can a hacker insert code into my input fields to exploit sensitive data and gain access to my corporate system).
“Most of the cybersecurity expert ecosystem now believes that application security is tied to overall quality. CAST has been taking that approach for 20 years. Second, CAST makes it extremely easy for developers, managers, CIOs and even board members to understand where security issues might exist based on a comprehensive blueprint of the application in question.
“The blueprint takes a system-level approach by identifying every component, call path and command layer to create a visual image of how the application functions. This system-level blueprint then flags security hot spots and areas with critical vulnerabilities that should be prioritized to keep the organization and customers safe.”
DJ: When you were discussing the Equifax breach with SC Magazine, you said Equifax missed an opportunity to prepare for a breach, but others should not. While Equifax could have made a patch for the software when the problem first became evident, what else would you mean?
Lesokhin: “There are many facets to being prepared for a hacker attack. One important part of that is to have a robust piece of software that is engineered to be hard to break. The Struts vulnerability that was exploited is an issue with exception handling – if something goes wrong, how does the system handle the error.
This is a fundamental part of software robustness. If Equifax had measured and managed the robustness of their software, it would potentially have closed the security hole caused by this open source framework. A large part of security preparedness is architecting and building robust software.”
DJ: I agree that the human factor is the weakest link in security, but even still, the breach was from an outside source and was linked to a compromised server. Other than using better encryption, how else could they have protected their product?
Lesokhin: “If they were a CAST customer, for example, one of the things we recommend after a new, or known, software vulnerability is announced is conducting a portfolio-level scan of your applications to see if they are susceptible to the security flaw in question. In the case of Equifax, the vulnerability they succumbed to was a known weakness in a particular open-source framework used by the company to build software.
“It’s particularly easy for hackers to exploit weaknesses in open-source frameworks because by nature they are ‘open sourced’, meaning the public joins together to build and validate the framework. So, when a security vulnerability is found in open-source software, it can be a hackers playground, going from company to company exploiting these publicly-known backdoors.
“The human error in the Equifax case is that they did not proactively manage to remediate the open source vulnerability before it was exploited. Apparently, they did patch some of the instances of this vulnerability, but not all. Most large enterprises have hundreds of applications. It’s hard to know exactly where such vulnerabilities might exist without doing a full application portfolio assessment.”
DJ: I like CAST’s Application Intelligence Platform (AIP). Is this platform recommended as a way of doing a “yearly checkup” of a company’s system?
Lesokhin: “That’s a good way of framing it. Because AIP creates system-level blueprints, it is not really designed to be an “everyday” solution. However, it’s most common for our customers to conduct weekly or monthly scans with AIP depending on the sophistication of their software measurement programs and security needs. It is best to stay on top of structural quality and security in an ongoing fashion, rather than a once per year checkup.”
DJ: And I really need to know what CAST means when they talk about their products giving advanced X-ray vision into the software. Also, does CAST create the software?
Lev Lesokhin: “X-ray vision is another way for us to say system-level analysis. AIP is creating system-level blueprints, similar to an X-ray, where you are creating visibility into the structure of complex, large systems, thereby gaining insight into something previously undetectable or not visible to the naked eye.
“We do not create software on behalf of our clients, but we do create the software that enables this x-ray vision. We are often used to measure the quality of the software organizations develop in-house, or that is developed by outsourced IT consultancy shops, like Capgemini, Cognizant, Accenture, and others.”
CAST Application Intelligence Platform (AIP)
The CAST Application Intelligence Platform (AIP) is the result of two decades of R&D and is an enterprise-grade software measurement and quality analysis solution designed to analyze multi-tiered, multi-technology applications for technical vulnerabilities and adherence to architectural and coding standards.
CAST AIP is different from other security platforms on four key requirements of good measurement and quality. They include: Accuracy, precision, analytics based on industry standards, including CISQ, OMG, and CWE to make measurement comparable and understandable, and AIP is enterprise-grade.
Lev Lesokhin: EVP, Strategy and Analytics
Lesokhin is responsible for CAST’s strategy, analytics, thought leadership and product marketing worldwide. He has a passion for making customers successful, building the ecosystem, and advancing the state of the art in business technology. Lev comes to CAST from SAP, where he was Director, Global SME Marketing. Prior to SAP, Lev was at the Corporate Executive Board as one of the leaders of the Applications Executive Council, where he worked with the heads of applications organizations at Fortune 1000 companies to identify best management practices.
Lesokhin also served three years as a consultant at McKinsey & Company, dealing with issues of business strategy, IT management, metrics, and outsourcing. He began his career at the MITRE Corporation before moving to the private sector, where he spent several years as a developer and project manager and has managed large client relationships for a systems integrator. Lev holds a B.S. in Electrical Engineering from Rensselaer Polytechnic Institute and an MBA from the MIT Sloan School of Management.
