Computer Software: This is one of the most impactful of the industry sectors. The products in the high-tech industry serve a variety of users. A vulnerability or defect in one can impact many users. For example, on July 19th, 2024, CrowdStrike released a faulty software update that caused a widespread outage which resulted in five hundred-million-dollar loss for a single airline. The use of open-source libraries and third-party dependencies only exacerbates the risks. Enforcing in-depth security privilege management and enforcement across Windows, Linux and MacOS, each with its own security model only adds to the challenges. Noting that while privilege escalation is slightly lower than previous years but inconsistent security check is pervasive in this sector, the security experts recommend ensuring access is limited to necessary resources on a least-privileged basis and granted only to specific roles. This should be paired with an Intrusion detection system or intrusion prevention systems using alerts and actions. All components of the software products must be regularly patched.

Internet and online services: This is similar to that of the computer software sector except that the updates and releases in this sector occur at a faster rate than anywhere else. The push to scale quickly and roll out new features makes it tough to enforce strict access controls consistently. The speed and innovation allow vulnerabilities to slip through. The recommendations from the security experts call for improved authentication mechanisms such as MFA and re-authentication in addition to the least-privileged RBAC authorization methods as earlier.

Crypto and Blockchain: Organizations in this sector stand out for their many outliers by nature because of their unique offerings and operations. While they build rigorous security practices from the start, they tend to overlook the business logic discrepancies that lay waste to the security mechanisms in place. This high-rate of business logic errors is the highest across industry sectors. When the business models become complex, it becomes tough to eliminate edge cases or unintended uses. For example, smart contracts which run on blockchain and execute automatically are immutable once deployed which also implies that certain errors cannot be undone. Since they cause financial loss, they are prime targets for bug bounty hunters. The recommendations from security experts include test-driven development of business logic and integration testing to cover various scenarios and edge cases and the authorization of business logic on a least privilege basis.

Travel and Hospitality: This industry relies heavily on marketing and often works in partnership with other agencies that require OAuth redirects and referrals. Attackers may exploit open redirect vulnerabilities by tampering with the links to lead users to malicious sites. The exploitations can work their way through the least secured sites to the highly privileged ones via referrals and integrations that is the de facto in this sector. The recommendations from the security experts include provide clear warning for all redirects, notifying users on exit from and entry to a site and sanitizing the user inputs and allow listing based on the client IPs or other user side information.

Across these and the industry sectors in the earlier article, organizations spend a lot of their budget on known vulnerabilities types including indirect object references vulnerabilities that have potential for unauthorized access, modification, or deletion of sensitive information. The security experts community recommends that organizations monitor report volume, payout levels, and researcher feedback to adjust budgets over time as their security programs evolve.

Reference: previous article.

#codingexercise: CodingExercise-12-29-2024.docx