Facebook dominates the social media universe, and it’s surprising to me that they didn’t do their due diligence on the SFT vendor. Sending files securely sounds pretty simple, but there’s quite a bit of complexity and work that goes into making sure your files are locked down, user access is controlled, and your administration is robust. There’s also a balance between security and ease of use. Usually opposing goals, but it can be done (a la Biscom Delivery Server’s SFT solution).
The flaw, which Nir Goldschlager (@nirgoldshlager) discovered, enabled him to use the password reset procedure to reset passwords of any Accellion account! That’s scary. Not the first time they’ve had security issues as found by Rapid7, a vulnerability and penetration testing company. But the fact about security is it’s complex, it’s time consuming, and there are always people complaining about the extra steps that are needed to access their accounts or reset passwords.
At Biscom, security is our number one concern, and we’ve implemented a layered security approach that starts off with a three tier architecture, keeping user data at the lowest and most protected tier, building in a security choke point that scans every request to access any SFT functionality, Microsoft AD integration for policies and user management, NIST-approved (soon to be FIPS 140-2 certified) 256-bit AES encryption for data at rest, and best practices for coding that harden our application against SQL injection, cross site scripting, buffer overruns, and other vulnerabilities. We also perform penetration testing before all of our releases to make sure our software is not susceptible to malicious attacks. It’s a long process and it takes a meticulousness that some vendors may not have. In fact, we’ve had penetration testing companies that have bought Biscom SFT, and if that isn’t a vote of confidence, I don’t know what is.
It’s unclear right now if there’s been any lasting damage at Facebook, but hopefully not. In fact, it was probably a good thing that Nir Goldschlager brought this to Facebook’s attention. And in some ways it’s good for Accellion – as I said, security is not easy, and sometimes you have to learn things the hard way.