Banks and vendors should share software vulnerability responsibilities

Last Friday, security firm, Pen Test Partners exposed a vulnerability in software that UK bank RBS recommends and offers to its corporate customers for free.

Heimdal Security, vendor of the software in question – Thor Foresight Enterprise – responded immediately to the vulnerability and issued a fix within three weeks, according to a press release, but Paul Farrington, EMEA CTO of Veracode, and former CTO of Barclays business banking innovation, believes RBS are as much responsible to ensure the security of the product.

An RBS spokesperson said in an emailed statement that “fraud, scams and cybercrime that exist online continues to be an absolute priority”.

“Maybe the legal buck stops with Heimdal Security,” says Farrington, “but the moral buck stops with RBS. For all the bank’s good intentions, it needs to ensure the vendors they’re working with are doing the right thing and they can evidence that every stage of the chain is secure.

When asked to provide clarity on Heimdal’s check process the firm’s CEO Morten Kjaersgaard, CEO responded: “To speculate that checks are intentionally left out is absurd. This was a major version release, for all our customers – a release process we intentionally cautiously perform in a slowly incremental fashion over the course of weeks after QA is completed.

“What happened here is that the QA check for correct encryption was accidently missed, which should naturally not happen. Heimdal has to date performed on-going pen-testing of our product and this process has now been further amplified, so that pen-testing is now performed before each version is released to production, whether minor or major.”

Mitre’s comprehensive industry list of common vulnerabilities and exposures (CVE) describes the issue as: “Heimdal Thor Agent 2.5.17x before 2.5.173 does not verify X.509 certificates from TLS servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.”

Heimdal Security has reported that the vulnerability was live for three weeks affecting 50,000 PCs, but Pen Test Partners stated the number could be closer to 650,000 PCs.

The RBS spokesperson said the issue could apply to 1,000 NatWest customers who were early adopters of the software, none of which have suffered any adverse consequences, according to the banking group.

According to Farrington, certificate checks are widely missed across the industry.

“If we broaden the aperture beyond RBS and Heimdal, we’re seeing software go into production where this type of certificate checking is not taking place,” he says.

In 2018, 63.7% of all software applications contained cryptographic issues according to Veracode data analysis while 43% mismanaged credentials.

“The evidence is pretty prevalent in software today. There may be a higher proportion in legacy software but even so, with modern applications being developed with these misintegration and vulnerabilities that go into production,” says Farrington.

Nevertheless, RBS issued support for the vendor: “We remain of the view that this software is a robust solution for our customers, and we will continue to work closely with Heimdal to ensure that we are able to provide our customers with the best possible protection online.”

Related reading