You may have seen news that security researchers say they have uncovered further vulnerabilities on TalkTalk’s website and email services that could allow hackers to steal email address, password and financial data due to basic oversights. Paul Farrington, senior solution architect at Veracode have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Paul Farrington, Senior Solution Architect at Veracode :
“It is completely unacceptable that after being breached using a common vulnerability, Talk Talk has not taken sufficient steps to remediate the remaining vulnerabilities in its website and email services. The SQL injection, by which the last attack was achieved, has been around over a decade and regularly features on the OWASP Top 10 list (the widely accepted standard for application security), which already led to many in the cybersecurity industry questioning whether the company ought to be liable for not having taken the necessary steps to find and remediate this well-known vulnerability.
Companies have a responsibility to do their cyber due diligence. They must ensure that they are taking the appropriate measures to safeguard customer data. This is especially important after a breach when the weaknesses in its IT environment have been exposed and its customers have already endured the stress and potential fraudulent acts from their personal information being made public. Talk Talk is likely to have taken a number of steps to improve its security posture in the wake of the reported breach. Unfortunately they do not appear to be closing the gaps quickly enough. Attackers will be paying particular attention to Talk Talk, and in general other retail sites at this time of year. We would hope that Ofcom is applying appropriate scrutiny to the Talk Talk incident – recommending expert advice and capability from the Cybersecurity community as a high priority.”[/su_note][su_box title=”About Veracode” style=”noise” box_color=”#336588″]Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.