- Security TWENTY
- Women in Security
Software underpins almost every aspect of our lives these days, from controlling our devices at home and in the office, through to managing the e-commerce systems that we shop and commute with every day, writes Paul Farrington, Manager, EMEA Solution Architects at web, mobile and app security product company CA Veracode.
Unfortunately, the increased dependence on software has also seen a concomitant increase in the number of cyberattacks on public organisations, multinational companies and, most worryingly, on critical services and infrastructure, such as nuclear power plants and other energy suppliers. In this context, we shouldn’t really be too surprised to find out that nearly half (46 per cent) of all British businesses suffered a data security breach between April 2016 and April 2017. Exploiting application vulnerabilities is one of the main cyberattack strategies that hackers use to compromise corporate IT systems. This is why it’s somewhat alarming that so many enterprises still don’t have proper vendor application security testing programs in place.
CA Veracode recently released its 2017 State of Software Security (SOSS) report, which is a definitive overview of application security testing data, from code-level analysis of over 250 billion lines of code, representing more than 400,000 assessments performed over a 12 month period on more than 1,400 customers. Our researchers looked to the Top 10 vulnerabilities listed by the Open Web Application Security Project (OWASP) for their initial risk assessment. This is an authoritative list of the most important vulnerability categories that are also easy to exploit in web applications, compiled to provide essential guidance to developers and security professionals. The Top 10 application risks are dangerous as they are the common avenues that cybercriminals and hackers use to plant malware, steal confidential data or, in the very worst cases, completely take over an organisation’s computer network or web servers.
What is perhaps most shocking is the fact that 83 per cent of the organisations featured in the SOSS report have released code out into the wild before testing it properly or resolving any potential security issues.
Amongst this and various other industry trends such as vulnerability fix rates and a high percentage of applications with vulnerabilities, the SOSS report clearly outlines the pervasive risk from open source elements, with 91 per cent of Java applications containing at least one vulnerable component, which makes them vulnerable to widespread cyberattacks.
One defining trend of modern software development has been the incorporation of third-party libraries, which is why it’s increasingly vital to secure any software that is leveraging open source. Developers need to understand the types of components that they are using and methodically track their use and distribution over time. This way, it’s far easier and quicker to identify and patch any potentially damaging vulnerabilities.
Closing the skills gap
This is where closing the data security skills gap comes in, because your developers play a fundamental role in ensuring that business applications are safe and secure. And right now there is a lack of developer security training, which is increasing the overall risk of vulnerable software components being released and used out in the wild. As our research clearly highlights, developers are not ‘choosing’ to ignore software security issues, they simply don’t have the skills or the resources available to them to create fully secure code.
This is why it’s hugely important that more security education for developers is introduced across enterprises. And it demonstrably results in a clear return on investment. Developer fix rates were increased by 19 per cent as a result of eLearning, and remediation coaching improved fix rates by an incredible 88 per cent.
Yet 86 per cent of developers and development managers that we surveyed for the 2017 DevSecOps Global Skills Survey told us that their organisation doesn’t spend enough time or money on application security training, which is a pretty basic oversight that needs to be addressed urgently. For organisations to pay more than lip service to data security, they have to equip their own developers with the skills, know-how and resources so that they have the necessary competences to deliver it.
With new vulnerabilities being discovered constantly, businesses must take responsibility for the state of their software and, by extension, for their own and others’ cybersecurity. Furthermore, as security flaws are both costly and time-intensive to fix, testing your applications early and often is by far the more cost-effective and productive approach in the long run.