LabVantage 8.6: Hackathons, OWASP and LIMS Security

Cybercrime has been on the rise for years – and 2020 saw a dramatic spike. One report found that cybercrime was up 600% due to COVID-19. Not concerned yet? Check out some of these alarming statistics:

• 230,000 new malware samples are produced every day — and this is predicted to only keep growing.
• Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense.
• Over 18 million websites are infected with malware at any given time each week.
• 34% of businesses hit with malware took a week or more to regain access to their data.

• Damage related to cybercrime is projected to hit $6 trillion annually this year.
• The Solarwinds hack, allegedly carried out by Russian intelligence, breached NATO, the U.K. government, the European Parliament, the U.S. Treasury Department, Dept. of Defense, the Energy Dept. and many other agencies. This single hack could potentially cost cyber insurance firms at least $90 million.

Now, I know many of you are probably visualizing Matthew Broderick inching us to the brink of nuclear annihilation in Wargames, while others are imagining the latest PlayStation console hack, or Mr. Robot. Because of this rise in cybercrime, in 2020 LabVantage organized an internal hackathon to probe the security of our LIMS infrastructure.

Admittedly, our LIMS hackathon won’t show up in an episode of Black Mirror, but we did probe the LabVantage platform, identify weaknesses and resolve them to better ensure your security.

LabVantage Cybersecurity

The security of our LIMS platform has always been a key consideration during our research and development activities. Increasingly sophisticated attacks, coupled with increasing exposure via internet connections, cloud services and SaaS, have made security considerations more important than ever for our industry.

Tracking the OWASP Top Ten

Because LabVantage is a web-based system which uses a browser, OWASP Top 10 comes up frequently when we talk to customers and prospects.

Founded in 2001, the Open Web Application Security Project (OWASP) is a community-led open-source software project which produces articles, documentation, tools and technologies to improve web application security. They publish a regularly updated OWASP Top Ten list to identify the top current critical risks. OWASP represents a broad consensus about critical security risks found in web-based applications. Here’s the current OWASP Top Ten list:

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

The 2020 LabVantage ‘White Hat’ Hackathon

White hat hackers (the “good guys”) are commonly used to perform penetration testing. LabVantage team members acutely familiar with the platform – working with information provided by the security teams of our customers – spent a week probing LabVantage LIMS for vulnerabilities. The R&D team was split into two groups, which competed to find malicious code or other vulnerabilities.  While external penetration teams can help identify exploits, our R&D team knows the platform – and any potential weaknesses – better than anyone.

What were the top two vulnerabilities the R&D hackathon evaluated?

• Cross-site scripting (XSS)
  Cross-site scripting occurs when an attacker injects script or executable code into the database or requests, which an unsuspecting user then executes. While LabVantage LIMS already had a methodology in place to prevent most of these types of attacks, the hackathon identified several additional vulnerabilities which have subsequently been hardened.
• Cross-site request forgery (CSRF)
  Cross-site request forgery also involves an attacker exploiting a URL or a link that a user will inadvertently execute. While LabVantage already had a token-based system in place to avoid this type of attack, we’ve subsequently added the token-based system to our Ajax requests as well, to provide protection for the entire application.

The hackathon successfully identified several potential issues which have subsequently been addressed.

Here are a few of the other steps we’ve taken to enhance the security of LabVantage LIMS:

• The use of SonarQube to scan our source code for potential vulnerabilities. SonarQube provides continuous inspection of code to detect bugs, code smells and security vulnerabilities on a wide range of programming languages.
• We’ve adopted a progressive approach to identify potential exploits. To this end, LabVantage is also implementing a Certified Ethical Hacker prep training course for our developers. The objective is to ensure everyone is trained to recognize and avoid cross-site scripting and SQL injection issues in our system.
• We use ‘magic byte’ detection (a list of file signatures and data used to identify or verify file contents) to make sure malicious file can’t be uploaded, and that it matches its mime type or file extension.
• We’ve reviewed and upgraded all our third-party libraries. This is always done as part of a major release, but we wanted to ensure legacy libraries and their dependent plugins were upgraded as well.

While it’s good to have an extremely knowledgeable R&D person within LabVantage take a hack at our software, it’s so important to have a  third-party take a look at our findings and identify potential flaws. To this end, LabVantage has partnered with a third-party organization called Compass to ensure penetration testing is performed regularly and objectively.

Cybersecurity continues to be a growing concern. It is relevant to all of us – both as individuals and as organizations – affecting virtually all markets and organization sizes. As platforms continue to evolve away from isolated, on-premise silos to global, web-based accessibility, security will continue to be a priority in the years to come.

Learn more about the LabVantage LIMS platform.