Oct 31, 2014
With advanced firewalls, anti-virus software, and other protection in place, it can be easy to believe your organisation's information is safe. Does it really matter if applications are built without vulnerabilities anymore?Vulnerabilities are bugs in a program's code, that mean that the software can be exploited in a way that the original developer didn't intend. In this post we explain why minimising application vulnerabilities is more essential than ever.
A Vulnerability Example
There's lots of application vulnerabilities I could use as an example, but one of the most common is SQL injection.SQL injection is possible when a software developer fails to properly sanitate user input. When exploited, the vulnerability allows an attacker to execute queries against your database. The attacker can then use that power to extract sensitive information, grant themselves unrestricted access, delete data and more.The problem with SQL injection attacks and similar is that they're not going to be stopped by your organisation's firewall, anti-virus, or other advanced software/hardware.
So Are We Helpless?
Put simply, if your developers don't know how to prevent these vulnerabilities from making it into your code, your company's sensitive information is vulnerable.That doesn't mean the situation is helpless though.Your organisation can make changes to reduce the number of vulnerabilities that make it into your company's applications, in turn vastly reducing your information security risk.
Take Secure Development More Seriously
The solution to the problem is to take secure software development more seriously.That doesn't mean sending all of your organisation's developers on a "set-it-and-forget-it" course for a day, and hoping that lasting change will come as a result.It means:
- Investing in ongoing training for software developers, and regularly testing developers to ensure that they're aware of best practices.
- Making secure development a priority early on in the software development lifecycle, to minimise cost and risk.
- Developing secure software development processes, that don't allow one point of failure. Code reviews should become mandatory.
- Performing regular penetration tests to find software vulnerabilities, and resolve them before they become an issue.
- Threat modelling, to determine the most likely ways attackers will attempt to exploit the software your organisation produces.
If companies took secure development more seriously, information security risk would be vastly diminished.Do you want to find your organisation on a list of failures like this one next year? The average brand damage that results from an information security breach is $180-$330 million.What steps can you take today to reduce that risk?