Application penetration testing or pen test is more critical than ever and news today is only the most recent example of why.
Spiral Toys makes a line of Internet connected teddy bears (aka smart bears, I guess) that allows parents and children who were physically apart to share personal messages.
Unfortunately for the purchasers of those bears, security was apparently an afterthought as you will soon read. There is the issue of brand reputation damage, of course. My guess is that the sale of Spiral’s smart bears is now zero.
The story is that between last Christmas and early January, the messages and other account information including passwords were stored on a Mongo Database, open to the Internet, not behind a firewall and with not even a password protecting it.
This was right around the time that researchers were pointing out that the default installation configuration of Mongo databases was not secure and did not even include protecting the data with a password.
The result is that 2 million messages of 800,000 customers, including those passwords were exposed to anyone who looked.
The passwords were encrypted with the bcrypt algorithm, but researchers say that they hackable anyway due to user’s poor choice of passwords.
Spiral Toys, which Motherboard says appears to be located in California could not be reached for comment. Multiple emails were not answered and no one answered their phones.
Motherboard says “the company appears to be in financial trouble and might be going bankrupt, given that their stock value is around zero.”
THAT is the ultimate consequence of making unsecure products. If the market responds appropriately, companies will go out of business.
For companies developing application software – whether it is for smart bears, business use or consumers, independent, third party, application pen testing is a critical part of the software development process.
AND, you do not get to do that one time. Every time you release a new version you need to go through the testing process again. Every. Single. Time! This is not optional. It is mandatory.
We know of a company who was ready to sell a new software product to a very large multi-national. Making this sale was very important to the financial well being of the company. The multi-national insisted on completing an application pen test prior to doing the deal. When the third party testers attempted to hack the software, they found it to be an easy target. The developers spent a lot of long days and nights trying to redesign their software on the fly so that the penetration testers could retest it. In many cases, the third party won’t do that – they produce a report of the software security state as it was and then let the company deal with the fallout – which may include having to wait for another available testing window, paying for the retest and possibly, losing that deal.
In this particulaar case, the good news for the buyer is that some major security holes in the software are now fixed. The bad news for the software vendor is that while they were able to band-aid some fixes, they now have to do some long term software re-engineering.
If this company had included independent third party application penetration testing as part of their security development lifecycle process, these security flaws would have been caught much earlier in the development cycle, would have been easier to fix, would have cost less to fix and would not have impacted the sale.
For their sake, I hope the toy company does not go out of business, but that is not a sure bet.
All because they didn’t consider application pen testing a mandatory requirement.
Information for this post came from Motherboard.