The year 2013 was labeled the “year of the breach.” I guess we were horribly wrong. So far in 2014, we have seen nearly 600 breaches logged in the U.S. alone. This is a global issue that needs more investment and visibility. The recent disclosure of JP Morgan and possibly several other U.S. banks having their cyber defenses breached is very alarming. Much of the attention goes to the attackers: what country they come from and what motivations they have for the attack. Is it nation-state, monetary gains or hacktivism? Was it an insider attack or contractor negligence? Was it China or Russia? These attacks are happening at unprecedented levels. Most penetrations deal with user PCs or servers not being patched at the appropriate levels. This is inherently because the development of the application missed some essential security aspects in the design and in the code. Bugs were created, found and subsequently able to be exploited to gain a foothold in your home or in the organization your work for. Apps are the gateway. Network security alone can’t protect you from people attacking your applications.
October is National Cyber Security Awareness Month, and I would be remiss if I didn’t distill the massive number of breaches down to a more focused scope. This scope is secure application development. Most of the enchantment we get with our mobile phones or web experiences is due to wonderfully designed and engineered applications. This drives what we do and how we interact in both our personal and professional lives. However, if not done correctly, applications provide the single biggest gateway into our homes and our organizations for attackers to search out, exploit and pillage our treasure troves and crown jewels of data.
For the past ten years, we have seen a great evolution of platforms. These dynamic ecosystems range from online banking to social media and even soon incorporating autonomous cars. Four states (California, Florida, Michigan and Nevada) have legislation in the works to allow companies like General Motors, Google and Tesla begin to introduce these technological marvels into the wild. These new developments are changing the way we interact with our chariots and ushering in a new area of how we think about logistics. These technologies run on hardware platforms but are driven behind the logic of application programming as well as designer and developer ingenuity. Elon Musk, CEO of Tesla, has even gone so far as to say that 90 percent of his 2015 cars will have autonomous capabilities. Musk also announced that he is opening up his intellectual property for innovation’s sake. Secure web application will be job number one for Tesla and should be for the other manufacturers.
Application security is of the utmost importance in the requirements and design process. This can’t be an afterthought or bolted on. Quality is more than simply making sure things work correctly. It is also about securing the fabric of the experience and instilling confidence in your users. Engineers have to be trained not only in their computer science degree programs about secure web application security, but continuously as new attack vectors evolve throughout their careers. Businesses must invest in training for their developers to allow them to keep current with the latest tactics to engineer security into their apps. Pioneers like Jeff Williams and Dave Wichers have stood tall in driving awareness and action in this space. I first used them in 2005 to train our developers on this very important concept.
I think many of the headlines about the recent cyber attacks are overshadowing the fact that the window that is opened for the attacker is usually due to an application that wasn’t coded properly. Open source or proprietary – it doesn’t matter. Organizations need to drive security mentality deep into their SDLC (Software Development Lifecycle) to ensure bugs and exploits are released at a minimum. Bugs happen. Critical impact must be minimized. Incorporate vulnerability scanning into your IDE (Integrated Development Environments), as well as run vulnerability scans against all of your development environments (development, test, quality assurance, user acceptance testing and production). Lastly, look at organizations and/or tools that have strong penetration testing platforms and processes to assist. In this way, you can continue to get a picture of the health of the applications as you are moving though the lifecycle. Ultimately, you will be improving the product you are putting in front of your users and customers.
We can debate all day about what comes first – the chicken or the egg. However, when it comes to application development security versus network/perimeter security, there is no question what comes first, in my humble opinion.
During the month of October, we’re supporting the National Cyber Security Alliance in celebration of Cyber Security Month – an effort that aims to educate organizations and individuals about how to stay safe online. Check out the helpful videos, infographics, blog posts and reports we’ve gathered for you here.