Why do we keep getting hacked? And how can we stop cyber breaches?
The hacks just keep on coming; it seems like every week there’s a new, huge hack taking place. The question on everyone’s minds must be why haven’t we got control of this yet? With all the advances in technology, why can’t we beat the hackers? Unfortunately, it’s exactly those technological advances such as mobile applications and the Internet of Things (IoT) that are often the very causes of these breaches.
The simple truth, and the simple answer, is that security has been an afterthought. To stop the slew of breaches, we have to patch the vulnerabilities that the hackers crack before they go live. Amit Ashbel, Cyber Security Evangelist at Checkmarx explains how…
The correlation between technology and hacking
Technological advances such as IoT means more connected devices and applications launching every day which ultimately results in a bigger surface attack area for hackers. Unfortunately, security has been a lower priority than getting these new products to market and the lack of regulation around application development allows this to continue. Developers are still being measured on how quickly they can write code rather than how securely. This often presents vendors with a difficult decision between fixing vulnerabilities or fixing bugs before releasing the application to market. Unfortunately the cost of delaying a release is often too high for organizations which leads to many of the issues we later see on the news. By modifying how businesses currently develop applications to add security into the process, it’s possible to significantly reduce the vulnerabilities in the code and therefore the attack surface for the hackers. Building a structured and well thought through Application Security program doesn’t have to create delays. This is the process of changing businesses from the regular Software Development Life Cycle (SDLC) to the Secure Software Development Life Cycle (sSDLC).
The current situation and why it needs to change
The regular process for software development, or the SDLC, is composed of 5 stages: design, development (coding), testing, deployment and maintenance. In this process, most of the testing is conducted at the latter end of the cycle which is the root of the problem.
Testing late with black box methods such as pen-testing is expensive and time-consuming. It often means that it takes longer for the developers to fix any bugs or vulnerabilities found as they will have moved on to different projects and so they won’t be as familiar with the code as they would have been when they first wrote it. It can also put pressure on the business to release an application or an update that isn’t fully secure simply because of time and budget constraints. In these cases, a decision needs to be made between fixing a bug so that a feature will work perfectly for the user or fixing a security vulnerability which could make it easier for a hacker to access a user’s data and, with IoT, potentially other devices. Because of the current competitive marketplace, the features are sometimes considered more important and so vendors decide to release with vulnerabilities in the code, sometimes with the view to fixing them in a later version but of course, with development cycles becoming increasingly shorter and the focus always on new features, this rarely happens.
A better way
Businesses don’t have to wait to test code. White box testing methods such as Static Application Security Testing (SAST) can look at an application’s source code and build a comprehensive understanding of its risks. Currently, new SAST solutions even allow for incremental scanning so instead of running analyses on millions of lines of code (LoC) that could last a full day, developers can just test new or modified pieces of code to find security flaws. Ultimately, a strong SAST solution enables developers to identify any coding errors and address them early so reducing the time and costs of handling vulnerabilities at a later stage of the SDLC with black box testing methods which in some cases causes a project delay.
Furthermore, the latest SAST solutions can reduce the developer’s mitigation effort and remediation time by pinpointing specific junctions in the data flow of the application’s code which allows mitigating multiple vulnerabilities with a single fix. This functionality on its own can reduce remediation times by up to 80 per cent in many cases. One significant value of introducing security at the development stage is often ignored. Developers who are tasked with addressing code vulnerabilities will, in most cases, not make the same mistakes again.
Increasing your developers secure coding skills is a symbiotic situation that organisations need to leverage. From the business point of a view, a developer with secure coding skills is a very valuable and rare asset. From the developer’s point of view, increased secure coding knowledge might be one of the strongest career moves in today’s technology landscape.
Shifting mindsets towards a secure-SDLC
Beyond the educational advantage of learning how to code securely, developers start addressing vulnerabilities in the same way they address functional bugs, transforming an SDLC into a Secure-SDLC (sSDLC). If security can be considered at the beginning of each development process, businesses can consider which security mechanisms need to be implemented where, how the attack surface can be minimised, and identify sensitive areas where secure development can be helped by providing a secure infrastructure to developers to work with. Once this mindset is developed and security is at the core of the SDLC, we have a much better chance of stopping these vulnerabilities ever getting to market which will significantly reduce the attack surface available for hackers.