“The more things change, the more they stay the same.” This simple, succinct proverb created in the 19thcentury by French novelist Jean-Baptiste Alphonse Karr continues to resonate in so many areas of our day-to-day lives.
But why am I quoting an author from more than 200 years ago, and what does it have to do with application security?
We have seen many incredible technological advancements from the early days of the World Wide Web. These include, but are not limited to:
- 1991: Students at Cambridge University create the first webcam to monitor levels in a coffee pot. This evolved into the use of video meetings in almost every business worldwide.
- 1994: Security was applied to SSL for the first time to help ensure data is sent securely to the more robust versions within TLS. Now the general population knows to look out for these website security indicators.
- 2014: HTML joins with CSS & JS, progressing to the HTML 5 standard, which delivers the interactive & sleek websites we know today.
We, as a society, have clearly progressed very quickly and have increased our technological skills in the process. However, some of the most basic application security vulnerabilities remain prevalent today – despite mitigation being documented for decades.
Where Common AppSec Vulnerabilities Stand- 1H2019
If we look at three of the most common application vulnerabilities, cross site scripting (XSS), SQL injection (SQLi) and cross site request forgery (CSRF), we see that in the past two years, the number of common vulnerabilities and exposures (CVEs) has increased – with 2019 on track to show minimal improvements, if any, before the year is out.
All vulnerability classes are long established with simple ways to mitigate:
XSS: Validate user input, encode output
SQLi: Use prepared statements / parameterized queries
CSRF: Use CSRF tokens, validating Referer header, CAPTCHAs
There are no shortages of resources on the web of what each vulnerability is, how it is detected and how to mitigate. However, year after year, we find that the number of vulnerabilities exposed is on the increase – despite increase of awareness.
Prevention is Even More important Than Remediation
Part of the problem is companies often focus on fixing application security vulnerabilities rather than preventing them in the first place. It is proven that it costs more to fix a vulnerability that has gone live than to detect it in pre-production. So why is there not more focus on the prevention aspect?
The simple answer is speed. If your application is first out of the gate, it will be the first to get to the audience, in a world where what’s “hot” changes every few days. This often results in companies recycling previous code, containing the same vulnerabilities, or using third-party code with the false assumption that if a lot of people are using the same code, it must be safe.
Why haven’t companies been motivated to change? There are the looming threats of potential brand damage and customer loyalty resulting from a compromise, but companies can recover from these with public relations, informing its customers of improved security practices and building a new business pipeline over time.
Recently, however, as the General Data Protection Regulation (GDPR) hit its one-year implementation marker, companies that did not meet its strict compliance standards have finally been making headlines for being slapped with massive fines. And other organizations are waking up and taking note.
GDPR’s Role in Affecting Change
There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The first large-scale penalty was recently announced, with British Airways facing a fine of £183 million (on the day the fine was announced, equivalent to just short of $228 million) for a data breach disclosed by the company in September 2018.
The breach occurred when users of BA’s website were re-directed to a fake site, which compromised the personal data of around 500,000 of them. It’s the biggest GDPR-related fine so far – by far, and the UK’s data protection body – the Information Commissioner’s Office (ICO) – imposed it based on 1.5 percent of BA’s 2017 worldwide revenue.
Other recent fines include Marriott being hit with a £99m GDPR violation, Google being fined 50 million euros (£44m) by the French data regulator CNIL, for a breach of the EU’s data protection rules, and the FTC making Facebook cough up $5 billion.
As the BBC put it, the level of fine British Airways alone was hit with will send “a shiver down the spine of anyone responsible for cybersecurity at a major corporation.” These recent announcements drew a new line in the sand for everyone, and corporations now have some real numbers to work with. Anyone who was under the assumption that regulators wouldn’t crack down can no longer be in any doubt.
Business leaders need to ask themselves whether they are content to live with the jeopardy of data protection fines running into the potential nine figure bracket, or whether it’s more prudent to invest a fraction of that total on better cybersecurity procedures and technologies, such as application security.
How can companies change?
We have seen companies evolve processes many times with the increase in technology, and we now see most companies moving from the software life cycle (SLC) using the waterfall approach to adapting the modern agile approach.
Agile allows for constant review and improvement to the specs of a project, and in turn, we have witnessed the rise of DevOps, an extension of the agile methodology that bridges the Development and Operations teams and helps ensure software created is operable and maintainable once the project goes live.
It is time now for companies to take the next step and move from DevOps to DevSecOps, the emerging methodology that ensures security testing is performed at each stage of the agile SLC to ensure that security vulnerabilities are detected and remediated as early as possible to prevent internal systems or users of the product to fall victim to malicious actors.
All of these factors considered, security can no longer be an afterthought.