PARIS, Dec. 10, 2013 /PRNewswire/ — Nearly half a million of JPMorgan prepaid cash cards customers may have had their personal information accessed by hackers who attacked the JP Morgan website between July and September. Looking at the JPMorgan report, everything has been done right: All sensitive user content was encrypted in their database and all standard protection measures were in place. So what went wrong? A common developer mistake, one application component wrote some sensitive information into a log file, which was later breached.
(Photo: http://photos.prnewswire.com/prnh/20131210/PH30425-INFO-a)
(Logo: http://photos.prnewswire.com/prnh/20131210/PH30425LOGO-b)
This case emphasizes the need for correlating data security and application security. JPMorgan very likely spent a substantial amount of resources securing their applications. However, most application security solutions today focus only on the code, rather than looking at both code and data, and are therefore blind to issues such as in this case without a specific configuration.
So, what can one take from this incident? Always remember the obvious reality – application security and data security go together hand in hand. Your applications are handling your most sensitive data and your application security must therefore focus on how it interacts and affects your data on your runtime environment. Relying on application security solutions monitoring only the code at rest is simply not enough.
At Quotium, we believe that data and application security are inseparable. For this reason, one of the most important tests our solution, Seeker®, does, is tracking all sensitive data flows throughout the application, identifying any potential leakage of such data, whether through a log file, as with the JPMorgan case, through insecure third parties or even by leaking it back to the user. That is why we were not surprised with the JPMorgan incident – we see these kinds of problems every day.
About Quotium
Quotium Technologies is a specialist in the development of innovative software solutions to build highly secured and robust applications. Quotium is an Interactive Application Security Testing (IAST) pioneer with its application security testing software Seeker. Seeker runtime code and data security analysis technology increases the accuracy of application testing by combining the detection of potential vulnerabilities with verification through real-time exploit attempts.
Press contact:
Elsane Guglielmino
+33.149.04.70.60