LinkedIn Isn’t an Isolated Case

By now you’ve probably heard about the disclosure of unsalted, hashed passwords from LinkedIn and possibly other sites. While it’s not immediately clear how malicious attackers got a hold of the passwords, several people in the security community have pointed out that LinkedIn did not follow best practices for password storage.

This deviation from best practices is far from rare. Any experienced security practitioner can tell stories of other, supposedly security-sensitive organizations, that have the same or even more lax password storage standards. There are a lot of potential reasons for this but I’d like to offer two major root causes:

• In the widely accepted “test ourselves secure” approach, vulnerabilities that can’t be identified during penetration tests or automated static analysis never get fixed
• Very few organizations invest in security in requirements. Hashing and salting passwords is a very well-known security requirement. Organizations that track adherence to security requirements can identify and actively track deviations

There are plenty of security issues that we’ll simply never catch or fix if we continue to rely exclusively on testing & static analysis. Secure Application Lifecycle Management is one scalable, consistent way to ensure we bring visibility to these kinds of issues.

Previous Article
Dealing with the “Security is Special” problem
Dealing with the “Security is Special” problem

In the last entry on cultural challenges in application security series, we introduced the “Security is Spe...

Next Article
I know you'd love CPEs and free OWASP training
I know you'd love CPEs and free OWASP training

Author: +Oliver Ng I’m happy to announce a partnership with ISC2 to bring you our OWASP course complimentar...