By now you’ve probably heard about the disclosure of unsalted, hashed passwords from LinkedIn and possibly other sites. While it’s not immediately clear how malicious attackers got a hold of the passwords, several people in the security community have pointed out that LinkedIn did not follow best practices for password storage.
This deviation from best practices is far from rare. Any experienced security practitioner can tell stories of other, supposedly security-sensitive organizations, that have the same or even more lax password storage standards. There are a lot of potential reasons for this but I’d like to offer two major root causes:
• In the widely accepted “test ourselves secure” approach, vulnerabilities that can’t be identified during penetration tests or automated static analysis never get fixed
• Very few organizations invest in security in requirements. Hashing and salting passwords is a very well-known security requirement. Organizations that track adherence to security requirements can identify and actively track deviations
There are plenty of security issues that we’ll simply never catch or fix if we continue to rely exclusively on testing & static analysis. Secure Application Lifecycle Management is one scalable, consistent way to ensure we bring visibility to these kinds of issues.