The modern-day developer faces an inordinate amount of challenges daily. Between constantly fighting to create the most innovative apps to help their product stand out to working to meet tight deadlines, developers juggle many responsibilities. Because of this, security is still one of the last priorities on many developers’ minds as they move through the software development lifecycle.
Even though the number of security breaches were down in 2018 compared to the previous year, the scale of these breaches were unprecedented with a 126 percent rise in sensitive consumer data exposed in 2018. Despite this, many developers are still hesitant to adopt a security mindset even though they see the headlines of companies being compromised every day. They make the mistake of thinking it could not happen to them.
Similar to how hurricanes often plague the Gulf and East Coast while people in other regions are unconcerned with them, developers do not typically worry about data breaches and other attacks until it affects them directly. If a hurricane were to hit a Midwestern state, people there would be unprepared and the damage would be catastrophic. The same philosophy stands for developers who are not actively incorporating a security approach. Development teams may think they are in a good place until “the big one” hits. One major difference between someone building an app and the one trying to exploit it is that the hacker does not operate on the same principles and does not usually have constraints of time or risk of failure, and can keep at it as long as they can. One weak link is all they need to achieve their intentions.
One must not assume that the exploiters are out to get to their data, but each hacker may have a different motivation and they could also render your application being very slow to respond to real users or even completely make it unusable.
At WhiteHat, we strive to help developers for businesses across all industries adopt that security mindset for the entire software lifecycle using a DevSecOps approach. Unfortunately, sometimes it takes using “fear tactics” for developers to discover their product isn’t as safe as they thought it was.
Playing the “WhiteHat Hacker”
Occasionally, our team at WhiteHat needs to demonstrate to companies the dangers of not incorporating security into the application development process for them to understand the harm it may cause. During these “exploitation workshops,” our team dives into the application and explores some of the vulnerabilities and flaws within the code and shows development teams different scenarios attackers could potentially exploit.
An example of some of the consequences of not taking vulnerabilities seriously happened with one of these demonstrations with a prospective customer. WhiteHat did an initial scan of the prospect’s website and provided them with a report on all of the vulnerabilities and potential security issues to address. Some looked like it needed to be fixed sooner rather than later. The prospect’s security team went through the details and notified the engineers, who were not convinced there was any real threat.
With the customer’s permission, a member of the WhiteHat team then executed one of the exploit’s that caused temporary disruption on their site to show them that the vulnerability is real and very easy to exploit.
The entire room was terrified at the realization that this was executed by an outside attacker with ease.
It is imperative for developers to understand how hackers are thinking these days. There are effective ways of mitigating SQL Injection, and there are well known patterns on how to prevent them on popular languages that are used to create applications, yet application breaches show that SQL Injection still stands as one of the top cybersecurity threats today. The moment we come in and show them the harm a lack of security mindset can do, it instills a greater sense of responsibility and caution. Contrary to what some individuals may think, it is not about teaching them how they can stop attacks. Rather, it’s to raise awareness that if security is not kept top of mind, an application breach will impact their business.
The Key to a Security Mindset? AppSec Education
Education, whether it be through various webinars or training sessions or by demonstrating to teams the repercussions of not building a secure app, is the best way to ensure your developers are adopting security practices on a daily basis. With proper training, developers can understand how to build secure code and put the proper protocols in place for the complex interconnectivities all applications have today by mitigating insecure patterns, reducing the attack surface and making their applications harder to exploit.
Want to learn more on appsec education? Click here to explore our eLearning page.