Recently, the British Airways’ data breach by the hacker group, “Magecart,” raised eyebrows about the use of third-party source code. By Mimicking credit card skimming devices, Magecart used malicious code to capture data entered by users of British Airways’ payment portal and sent the data to their systems.
What makes this breach interesting is that British Airways, as well as other organizations of the same size and scope, have spent millions of dollars in security resources to protect themselves from such intrusions. However, a breach in security as the one experienced by British Airways comes down to the culture of IT in utilizing open source technologies.
In today’s technology trends, no trend is greater than the use of open source software. Open-source is software where contributors to the code can make changes and modifications, submitting their work to the source-code owner for inserting into the core of an application. Many products used today have a significant amount of code that comes from these open source projects and thus find their way into applications in private, public, small and large enterprises. If you build technology products in your business or service, chances are you have some open-source programs living on those products. That isn’t necessarily a bad thing as open-source projects provide an ability to expand the capabilities of software beyond the knowledge base of its programmers. You’re essentially leveraging the knowledge and experience of a community of programmers rather than the limitations of a few.
However beneficial, you do run into the risk of ingesting code into your software without a thorough review opening the possibility of malicious code living within your applications and internal network.
The hack associated with British Airways and previously with Ticketmaster used what is called cross-site scripting. It’s a method where a code injected through a browser performs actions on user events to push data into locations not owned by the application host. Sounds confusing, right? Let me explain.
There are ways, however, to prevent cross-site scripting, and the OWASP website, the organization that publishes a top 10 standards for open application security, provides guidance and prevention techniques for IT practitioners. By following the OWASP standards, you can mitigate the risks of cross-site scripting vulnerabilities using their examples and steps for prevention.
The issue with following OWASP standards in the case of British Airways is that hackers inserted third party code or libraries into their application without a thorough inspection, similar to a Trojan Horse virus. The developers installed the third-party code into their servers, bypassing security protocols. Once inserted into the core of the application, the script runs behind the scenes without the users or the product owner knowing.
These actions are more common than you may think, and it is why you should following standards like OWASP or recommendations from INFOSEC publications that not only identify but explain the types of ways to secure your software from intrusions. Additionally, you should adopt stringent processes and procedures to verify open-source code is safe to include in your applications, and subsequently, protect your customers’ data.