News broke this week that the PumpUp fitness app left a core backend server housed on Amazon Cloud exposed without a password, revealing user health data like weight, height, goals, etc., private messages and even credit card data in certain instances. Each time a user sent a message to another user, the app exposed user profile data — and the private contents of that message.
The now secured server acts as a messaging broker, directing private messages and user requests to other app users. The protocol is transitory, so anyone can see the real-time stream of data, rather than accessing a centralized data store. Eric Sheridan, Chief Scientist at WhiteHat Security comments on the leak below.
Eric Sheridan, Chief Scientist at WhiteHat Security:
“This level of data exposure emphasizes why it’s so important for developers to consider security throughout the software development lifecycle (SDLC). We in the security community want developers to practice safe coding techniques; we want to insert the security tools we’ve come to rely on into the developer’s workflow, call it DevOps, and call it a day.
The problem with imposing a static application security testing tool into the developer’s process is that some of these tools produce hundreds of false positives. Are your developers trained on it, or do they have time to figure out what’s a real vulnerability and what’s not? Once they’re confronted with true vulnerabilities, how are they going to go about fixing them? You might have the training to fix vulnerabilities, but the developer does not. Worst of all from the developer’s standpoint: taking the time to fix vulnerabilities throws off the whole application delivery timeline. Any extra step comes across as something that’s going to slow them down.
What is really needed is to empower developers to code using security best practices in mind, right from the get-go, with proper training and even security certifications.”