Jun 27, 2018
Attacks on your organisation aren't just possible anymore. They're inevitable. You're at risk whether you're part of a small company with a basic Wordpress website and your files stored in the cloud; or a large enterprise using tens of interconnected SaaS products, internally developed applications and computer networks. News of vulnerabilities spread amongst hacker communities faster than ever, and there's an ongoing race between security companies and attackers that we're not getting any closer to winning. According to a recent report from CyberEdge Group, 70% of organisations experienced a successful cyberattack in the last 12 months. Of those attacked, 22% experienced at least 6 successful attacks. In this post I explain why traditional approaches to security fail, and explain why helping developers to write more secure code is the best way to reduce risk.
The Traditional Security Approach
Security within many organisations is still treated like a box ticking exercise. An audit's coming up, and it's important the company passes, or it will face penalties. As a knee-jerk reaction to this, you buy security software and hardware, like firewalls, intrusion prevention systems and scanners.Whilst this approach often worked in the past, it's not effective in isolation anymore. Most organisations build their own software, in addition to using a large number of externally developed applications. Whilst there's not much you can do to prevent vulnerabilities in the software you buy (beyond learning how to choose secure vendors, and making sure security awareness is an organisation-wide priority), there is something you can do to reduce the risk of inevitable attacks on the software you develop in-house.
Develop More Secure Code
According to a 2013 Global Information Security Workforce Study, 69% of security professionals stated that application-layer vulnerabilities were a primary threat to their organization. Another report from SANS learned that just 10% of organisations secure their business applications before and during development. This represents a huge opportunity to reduce the number of successful attacks against your organisation.Application security is most effective when it's incorporated early in the software development lifecycle. Data indicates that it's 30x more expensive to fix a vulnerability during post-production than during the design, requirement identification and architecture stage. The earlier you can prevent vulnerabilities in the software development lifecycle, the better.Reducing the cost of vulnerabilities is therefore best achieved in two ways:
- Training developers in security best practices, so that they don't design or develop insecure software in the first place.
- Providing developers with security tips and warnings within their development environment, to eliminate vulnerabilities as they're introduced to code.
If you want to reduce the risk of inevitable attacks on your organisation, it's fundamental that you do both. Security hardware and software reduces risk; but they're fallible plasters covering up holes that wouldn't have made it into your software if security was taken seriously earlier in the software development lifecycle.