What’s the state of your software?
Cybercrime is felt by businesses up and down the country, with the Information Security Breaches Survey (ISBS) reporting that 81 per cent of large and 60 per cent of small businesses in the UK suffered a cyber-breach in 2014.
Web application attacks remain one of the most common patterns in confirmed breaches, and account for up to 35 per cent of breaches in some industries according to the 2015 Verizon Data Breach Investigations Report. Yet many organisation still only assess a small percentage of their web and mobile applications.
In the face of the repeated high profile breaches of US Office of Personnel Management (OPM), Target and Sony, it may be tempting to throw up one’s hands and give up on building secure applications or fixing vulnerabilities in the applications that have already been deployed. The truth is that most organisations are yet to seriously address this problem. Gartner reported that in 2014, enterprises spent $12 billion securing networks and endpoints — but only $600 million securing applications.
Organisations can significantly reduce their cybercrime risk by remediating application-layer vulnerabilities. Yet, it can be especially hard for companies to know how they fare in this area, with no industry standards defining which criticality of defects are acceptable, or what remediation timeframe is adequate.
Recognising this issue, Veracode recently released a State of Software Security (SOSS) report to show security trends across 34 different markets, organized into seven verticals to help CISOs set a benchmark and make informed decisions about their application-layer risk. The data comes from actual code-level analysis of billions of lines of code, representing more than 200,000 assessments performed over the past 18 months, to provide security professionals with an up-to-date understanding of current trends.
Where do you stand?
Veracode researchers looked to the OWASP Top 10 for their initial risk assessment, which lists the most important vulnerability categories in web applications agreed on by the security practitioners at the Open Web Application Security Project (OWASP). When applying this to different industry verticals, the researchers found a wide variety in the pass rate.
Globally, government agencies ranked last among vertical markets, with three out of four government applications failing the OWASP Top 10 when first assessed for risk. This is in part due to many government agencies still using older programming languages, such as ColdFusion, which are known to produce more vulnerabilities.
In contrast, the financial services and manufacturing industries’ attention to software shows that security pays off. These sectors more proactively remediated the majority of their vulnerabilities (65 and 81 per cent respectively) resulting in the greatest number of compliant applications.
What was perhaps most concerning, given the significant amount of sensitive data they hold, is that 80 per cent of the healthcare organisations’ applications assessed exhibited cryptographic issues such as weak algorithms upon initial assessment. To make matters worse, healthcare fared relatively poorly with regards to addressing remediation, remediating only 43 per cent of known vulnerabilities.
Don’t outsource your worries
Organisations that understand the wider threat of insecure applications often outsource their development in a bid to ensure that they might end up more secure. However, the SOSS report consistently showed that commercial software applications aren’t significantly more secure than those developed internally.
Veracode found that internally-developed applications were only slightly more likely to be secure than those commercially-developed (37 and 28 per cent respectively). Organisations must remain vigilant no matter what the source of the application, because in the case of a breach it is their data and reputation on the line.
Once just isn’t enough
With application security, understanding is key. A worrying number of applications (28 per cent) were assessed only once during the 18 period months that Veracode analysed. With new vulnerabilities frequently being discovered, it is essential that organisations continue to assess their applications. In the same breath that stepping onto a bridge doesn’t equate crossing it, taking just a first few cautious steps towards securing applications isn’t enough to keep your corporate data secure.
Organisations cannot afford to neglect assessing and remediating their business and web facing applications, because cybercriminals have caught on and are taking advantage of the ‘head in the sand’ approach taken by many companies. With cyberattacks already costing UK firms £34 billion in revenue losses and subsequent increased IT spending a year, it’s time for businesses to understand the state of their software. There’s too much on the line not to.