Although many start-ups suffer from a lack of security policies and procedures due to the perceived notion that other things need to take priority over security, it is not uncommon among more established organizations to lag in this area too. Even organizations that have security policies will often not have sufficiently detailed or up-to-date application security policies and procedures, resulting in weaker security and privacy. The Federal Trade Commission (FTC) announced [1] that Uber agreed to implement a comprehensive privacy program that requires independent, periodic audits done by an approved third-party because Uber failed to live up to claims that they took reasonable steps to protect personal data.

Weak or Non-Existent Security Practices

The FTC ruling noted that Uber security practices failed to provide reasonable security to prevent unauthorized access to clients’ personal information in databases in an Amazon S3 Datastore. Engineers and programmers were not required to use distinct access keys to access personal information stored in the cloud. Instead, they used a single key that gave them full administrative access to all the data. Access to systems was not restricted based on employees’ job functions. Multi-factor authentication was not required to access the data, and sensitive consumer information was stored in plaintext in database back-ups stored in the cloud. Until September 2014, Uber failed to have a written information security program and failed to implement reasonable security training and guidance.

Due Care Security Practices

When an organization makes claims about the security of their systems and data, they need to be backed up with written documentation (policies and procedures) and tangible actions to ensure that systems and data are sufficiently protected as per the claims. The FTC found that Uber’s claims of implementing “…a strict policy prohibiting all employees at every level from accessing a rider or driver’s data” and that “…access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis...” [2] were not accurate. There was a failure to implement sufficient “due care” security practices at that time to support the privacy and security claims.

Due care is a legal term of art, which “…refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.” [3]

Although there is no formal definition of what due care application security activities consist of, there is a large body of publicly available knowledge including the OWASP Top Ten and other regulations nad standards that describe the types of controls and activities that should be done. [4] [5] [6]. Interestingly, the FTC in other rulings has specified the types of due care application security activities they are expecting. [7] [8]

Lessons Learned

Organizations should be reserved in making claims about security and privacy if they aren’t being done in a manner that would be commensurate with reasonable expectations. Otherwise, it’s important to ensure that security and privacy claims are actually being met with the appropriate level of security controls and procedures.

It’s less expensive to build security in from the outset.  As the FTC complaint noted, “Respondent could have prevented or mitigated the failures … through relatively low-cost measures.”  Uber is now required to have an independent privacy audit every two years which will be expensive and time-consuming.

Additional measures to reduce risk include:

  • Continuously grow and improve the application security program as the organization grows. Technologies, systems, and attacks are constantly changing, and the application security program needs to adapt to those changes.
  • Staff generally want to do the right thing, but they can only do so by having documented security policies and procedures that are comprehensive and up-to-date.  General information security policies and procedures are not sufficiently detailed for development teams.  You need to have more contextual and technology specific application security policies and procedures as well.
  • Since employees are needed to design, build, and test applications anyway, hire security-knowledgeable developers and testers or bring in consultants as temporary staff with the right application security skillsets. Make sure job descriptions include secure coding and testing requirements.
  • Where the team lacks deep security knowledge, provide role-based training to get them up to speed. This means providing an understanding of the kinds of attacks systems and data are likely to encounter, how to architect secure systems, how to code securely, and how to conduct threat-based application security testing.
  • Ensure that software and systems are built using a consistent Software Development Lifecycle (SDLC) with security engineering activities integrated throughout, including threat modeling, code reviews, and penetration testing.
  • Institute a bug bounty program. Depending on the size of your teams and the amount of code, an internal test team may not be sufficient. A bug bounty program is part of a comprehensive plan and not an alternative for actual penetration testing.
  • Conduct scheduled security audits by third professionals who have the experience and neutrality to understand how your applications are putting you or your customers at risk.  

The lessons from Uber are valuable for all types of organizations.  Building secure software and protecting the critical data that it’s storing and processing requires well defined policies and procedures and a high-level mandate.

 [1] The settlement: https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_decision_and_order.pdf

[2] The complaint: https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf

[3] http://definitions.uslegal.com/d/due-care/

[4] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

[5] https://blog.securityinnovation.com/new-york-state-adds-application-security-requirements-to-its-cybersecurity-regulation

[6] www.ipa.go.jp/files/000028853.pdf

[7] https://blog.securityinnovation.com/ftc-issues-sanctions-for-insecure-software

[8] https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business