The cybersecurity awareness problem: Get your business team up to speed

The digital economy is booming, but awareness of its risk is not. Why the disconnect? To find out, my company recently surveyed more than 1,000 business leaders across the UK, the US, and Germany about their companies’ digital transformation initiatives and understanding of cybersecurity.

Not surprisingly, one in five business leaders indicated that their software budget had increased 50% or more over the past three years. That’s a lot of new software, and a lot of new risk; Verizon recently reported that 40% of breaches are caused by web apps, the largest cause by far.

How are business leaders addressing this new risk that their initiatives are introducing? Based on the survey, not well. Most of the respondents didn’t even understand software security risk, never mind address it.

In fact, only half of business leaders surveyed fully understand the risk that vulnerable software as a whole poses to their business. Clearly, business leaders need to bump up their awareness of application security to match their application investments.

Get business leaders up to speed on cybersecurity issues and you'll be able to shift your team's focus to secure code. Here's how.

 

 

Application Security Research Update: The State of App Sec in 2018

Big security breaches and what caused them

Surprisingly, most business leaders are not following the headlines about damaging security breaches. Our survey found that only 28% of business leaders had heard about the Equifax breach that impacted 145 million US consumers. Yet understanding how breaches are happening is key to optimizing your security investments.

In the case of Equifax, the breach was caused by a known vulnerability in an open-source component that was not updated by Equifax for months. With the insight that this incident provides about the risk of open-source components, organizations could make dramatic changes to their security posture.

Another example: In 2014 and 2017, cybercriminals exploited a persistent cross-site scripting (XSS) vulnerability in the eBay website that led to a cascade of costly fraudulent activity on the auction site. This breach highlights that fact that XSS vulnerabilities are not just a theoretical threat, but are also being actively exploited by cyber attackers.

Considering that, among the applications we scanned in 2017, 40% had XSS vulnerabilities, eradicating such flaws is a worthy investment.

The role developers play in secure code

Developers don’t want to create insecure code, but most simply don’t have the knowledge or training needed to avoid introducing vulnerabilities. We recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com and found that fewer than one in four developers or other IT pros were required to take a single college course on security. And once on the job, 68% of developers and IT pros say their organizations don’t provide them adequate training in application security.

But investing in developer training will go a long way toward improving your risk posture. In fact, our scan data reveals that those organizations that provide developers with e-learning on secure coding see a 19% improvement in fix rates. Those that provide developers with remediation consulting, which provides analysis and advice to developers alongside the scan results, see a whopping 88% improvement in an organization’s fix rate.

The risk of open-source components

Speaking of developers, it’s important to understand that most are not creating all their code from scratch, but pulling open-source components off the web. As we highlighted above regarding the Equifax breach, this practice ups your risk. But our recent survey of business leaders also found that fewer than a third (32%) understand the risk that vulnerable open-source components pose to their organization.

This is especially disturbing considering that our most recent State of Software Security (SoSS) report, based on application security testing data from our 2017 scans, found that 88% of Java applications have at least one component-based vulnerability. One way to reduce this risk is to employ software composition analysis technology.

With this technology in place, organizations can keep track of which open-source components they are using, and where. In turn, when a big vulnerability in an open-source component hits the news (remember Heartbleed?), they can quickly find out where they are vulnerable and patch or update.

The threats to your industry, and your programming languages

Get the most bang for your security buck by targeting the security issues most likely to appear in your particular environment. For instance, again pulling from our SoSS data, we found this year that almost 50% of healthcare organizations have applications with cryptographic issues, while 50% of government organizations have XSS vulnerabilities in their software.

Different languages feature different vulnerabilities as well. This year, we found that 47% of applications written in PHP had a SQL injection flaw, and 43% had a XSS flaw. Meanwhile, 31% of .NET applications had SQL injection flaws and just 14% had XSS flaws.

Application security standards and regulations

If you don’t know anything about application security, or where to start, look to standards and regulations. Understanding and focusing on the threats that regulators and governing bodies consider to be the most pressing is an excellent jumping-off point.

Begin with any industry-specific security regulations (for example, HIPAA for healthcare, or NY DFS for financial regulations). Beyond industry-specific guidelines, start with the OWASP Top 10—it was recently updated and is widely recognized as the gold standard app sec policy.

The importance of prevention

Responding to incidents is not enough; you have to prevent. This is really the crux of the application security issue. Cyber attackers will find and exploit vulnerabilities in your code much faster than you can find and fix the issue. Take the recent WannaCry attack, which did major damage in a short period of time.

A strategy of “detect it and contain it as quickly as possible” would not have been effective; the damage was already done. Understanding this and shifting your focus, and dollars, to creating secure code in the first place will do more than anything else to reduce your risk.

 

 

Topics: Security