Mar 28, 2014
Training development teams in security to a high level takes time, which begs the question: is a high level of security competency required from your development teams to significantly reduce risk within your organisation? For many organisations, the answer is no. Most organisations can quickly reduce the chance of attacks by ensuring that their developers have a knowledge of even basic security best practices.
Why Does Basic Security Training Help So Much?
The answer is actually very simple. 80% of attacks against organisations are carried out by what's known as script kiddies. People who have been using computers for a few years, that don't actually have much hacking experience. These people, often teenagers, are compelled by the power hacking can give them, and use commonly available software without much (if any) knowledge of how they work to try to gain access to systems -- any system they can.Successful script kiddies typically have a lot of patience, and run their software against hundreds of IP addresses or applications until they find a vulnerability somewhere. If your applications are insecure, these are the attacks that your organisation is most vulnerable to.Due to the nature of the software script kiddies use, it's not too difficult to protect against them. Their software is built to attack hundreds of different systems, and typically relies on exploiting the most common vulnerabilities known. This means things like mass scans, malware, SQL injections and XSS attacks. They're employing a shotgun approach, and therefore won't get into most applications, assuming the applications were developed by someone with a basic knowledge of security.These attacks are in contrast to how more experienced hackers operate. An experienced hacker in comparison will use a rifle approach to exploiting system vulnerabilities. A hacker will have intricate knowledge of computer systems, applications, common flaws, and an understanding of how intricacies of systems and the way they're put together can be exploited.Hackers will adapt their tools to the specific situation, and use them as a framework for gaining access. They too are persistent, and will spend a lot of time trying to gain access to one specific system, often trying hundreds of different techniques and tools in a methodical way.The most experienced hackers will be writing their own tools and producing new attacks. They are the ones often responsible for uncovering zero-day exploits - attacks which were previously unknown to developers and security professionals. Fortunately, these hackers make up the minority of attackers.Understanding that the vast majority of attackers are inexperienced, and use off-the-shelf tools in a standard way to try to gain access to your organisation, it's easy to see how basic security best practices can protect your organisation. Your developers having the skills to protect against these most common vulnerabilities goes a long way to protecting your applications. Whilst basic security training won't protect you against all attacks, it will decrease your exposure significantly, and is an excellent first step if your organisation is yet to have implemented a developer security training programme.
But What About the Other 20%?
It's important to remember that the attacks you do get from the remaining 20% of attackers are likely to be more methodical. Not only that, but they will likely have a more specific goal in mind than just gaining access. These goals could include:
- Gathering intelligence to use against you in competitive bidding or negotiations
- Inserting back doors into your source code for future access
- Releasing company secrets to the press
- Manipulating transactions, invoices and billing
- Selling your company's confidential documents to competitors
- Altering or destroying records
- Stealing your source code and intellectual property
These are all things which your average script kiddie would never think about, or have the capacity to do.So whilst minimal best practices can eliminate 80% of attacks, it's important not to neglect the other 20%. The most secure organisations don't stop at basic developer training, but thoroughly implement the three pillars of a secure software development lifecycle.