The forgotten human factor driving web application security flaws
The 2018 Verizon Data Breach Investigations Report is once again a great read that keeps us up to date on cybersecurity, including current cybercrime trends and incident drivers, analysis and insight that can help organizations mature their security program. This year the Verizon investigators analyzed more than 53,000 incidents and 2,200-odd breaches, and there are many tangible takeaways about what to watch out for and what not to do, as well as valuable recommendations on where to focus security efforts. The 2018 report feels like it has evolved with the times, relevant to a wider business audience as security impacts spread, and is increasingly recognised as a mainstream business problem.
Among many interesting findings, the 2018 report verifies that most hacks still happen through breaches of web applications (there's even a cool interactive chart that shows this).
Web application attacks consist of any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. It is notable that the number of breaches in this pattern is reduced due to the filtering of botnet-related attacks on web applications using credentials stolen from customer-owned devices. Use of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi (more on SQL later...).
One theme that stands out in this year's report is how critical the "human factor" is in the security equation, both as part of the problem and the solution. The report deals with both external and internal actors, reporting that errors were at the heart of almost one in five (17%) breaches. Breaches occurred when employees failed to shred confidential information, when they sent an email to the wrong person and when web servers were misconfigured. The report points out that while none of these were deliberately ill-intentioned, they could all still prove costly.
But there's an often forgotten human factor that is causing many security breaches and that is the high frequency of developers creating code that contains security flaws, which lead to web application vulnerabilities, which in turn result in these incidents and breaches.
Application testing over the past 5 years has not shown much improvement in the number of vulnerabilities found and the same old flaws keep coming up time and time again. A 2017 Veracode report based on 400,000 application scans, shows applications passed OWASP Top 10 policy only 30% of the time. Astonishingly, SQL injections appeared in almost one in three newly scanned applications over the past 5 years, including last year.I say astonishing because SQL injections have been around since 1999. The fact that the same flaws, including SQL injections, are consistently found, is evidence that this "human factor" problem among developers is not being adequately addressed.
It is at this point that I need to stand up and shout that I am on the developers side of this argument. How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
That's what we do at Secure Code Warrior and we are seeing strong evidence that companies who build hands-on secure code training into their developers'daily lives are reducing the number of web application vulnerabilities created. For developers to write secure code, they need regular access to hands-on learning that actively engages them to build their secure coding skills. They need to learn about recently identified vulnerabilities, in real code, and specifically in their own languages/frameworks. This learning experience should help them understand how to locate, identify and fix known vulnerabilities. Developers also need a quality toolset in their process that makes security easy, does not slow them down and guides them in real time about good and bad coding patterns.
This is how we can make a tangible and positive difference to the number of web application breaches.
I am in violent agreement with Verizon that there is a need to increase security awareness training company-wide. My P.S. on this to CIOs and CISOs is "don't forget your developers!". These architects of your modern businesses can be one significant "human factor" who routinely generate access points for hackers, or they can be your first line of defense, your security heroes.
Effective security upskilling for developers could make a real difference to the outcomes reported by Verizon in future reports. It would be nice to see the 2019 report reflect developer security training as a key risk reduction strategy that companies can take. I'm an optimist, but I'd bet my house that if companies got their developers to learn how to avoid creating injection flaws, the number of web application vulnerabilities in this report would drop significantly.
Take a look at our platform in action to see how developers can upskill fast in an ideal, gamified training environment:
Play a secure coding challenge
Visit our free learning resources
How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
How are developers supposed to write secure code if nobody ever teaches them about why its important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
The 2018 Verizon Data Breach Investigations Report is once again a great read that keeps us up to date on cybersecurity, including current cybercrime trends and incident drivers, analysis and insight that can help organizations mature their security program. This year the Verizon investigators analyzed more than 53,000 incidents and 2,200-odd breaches, and there are many tangible takeaways about what to watch out for and what not to do, as well as valuable recommendations on where to focus security efforts. The 2018 report feels like it has evolved with the times, relevant to a wider business audience as security impacts spread, and is increasingly recognised as a mainstream business problem.
Among many interesting findings, the 2018 report verifies that most hacks still happen through breaches of web applications (there's even a cool interactive chart that shows this).
Web application attacks consist of any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. It is notable that the number of breaches in this pattern is reduced due to the filtering of botnet-related attacks on web applications using credentials stolen from customer-owned devices. Use of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi (more on SQL later...).
One theme that stands out in this year's report is how critical the "human factor" is in the security equation, both as part of the problem and the solution. The report deals with both external and internal actors, reporting that errors were at the heart of almost one in five (17%) breaches. Breaches occurred when employees failed to shred confidential information, when they sent an email to the wrong person and when web servers were misconfigured. The report points out that while none of these were deliberately ill-intentioned, they could all still prove costly.
But there's an often forgotten human factor that is causing many security breaches and that is the high frequency of developers creating code that contains security flaws, which lead to web application vulnerabilities, which in turn result in these incidents and breaches.
Application testing over the past 5 years has not shown much improvement in the number of vulnerabilities found and the same old flaws keep coming up time and time again. A 2017 Veracode report based on 400,000 application scans, shows applications passed OWASP Top 10 policy only 30% of the time. Astonishingly, SQL injections appeared in almost one in three newly scanned applications over the past 5 years, including last year.I say astonishing because SQL injections have been around since 1999. The fact that the same flaws, including SQL injections, are consistently found, is evidence that this "human factor" problem among developers is not being adequately addressed.
It is at this point that I need to stand up and shout that I am on the developers side of this argument. How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
That's what we do at Secure Code Warrior and we are seeing strong evidence that companies who build hands-on secure code training into their developers'daily lives are reducing the number of web application vulnerabilities created. For developers to write secure code, they need regular access to hands-on learning that actively engages them to build their secure coding skills. They need to learn about recently identified vulnerabilities, in real code, and specifically in their own languages/frameworks. This learning experience should help them understand how to locate, identify and fix known vulnerabilities. Developers also need a quality toolset in their process that makes security easy, does not slow them down and guides them in real time about good and bad coding patterns.
This is how we can make a tangible and positive difference to the number of web application breaches.
I am in violent agreement with Verizon that there is a need to increase security awareness training company-wide. My P.S. on this to CIOs and CISOs is "don't forget your developers!". These architects of your modern businesses can be one significant "human factor" who routinely generate access points for hackers, or they can be your first line of defense, your security heroes.
Effective security upskilling for developers could make a real difference to the outcomes reported by Verizon in future reports. It would be nice to see the 2019 report reflect developer security training as a key risk reduction strategy that companies can take. I'm an optimist, but I'd bet my house that if companies got their developers to learn how to avoid creating injection flaws, the number of web application vulnerabilities in this report would drop significantly.
Take a look at our platform in action to see how developers can upskill fast in an ideal, gamified training environment:
Play a secure coding challenge
Visit our free learning resources
How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
The 2018 Verizon Data Breach Investigations Report is once again a great read that keeps us up to date on cybersecurity, including current cybercrime trends and incident drivers, analysis and insight that can help organizations mature their security program. This year the Verizon investigators analyzed more than 53,000 incidents and 2,200-odd breaches, and there are many tangible takeaways about what to watch out for and what not to do, as well as valuable recommendations on where to focus security efforts. The 2018 report feels like it has evolved with the times, relevant to a wider business audience as security impacts spread, and is increasingly recognised as a mainstream business problem.
Among many interesting findings, the 2018 report verifies that most hacks still happen through breaches of web applications (there's even a cool interactive chart that shows this).
Web application attacks consist of any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. It is notable that the number of breaches in this pattern is reduced due to the filtering of botnet-related attacks on web applications using credentials stolen from customer-owned devices. Use of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi (more on SQL later...).
One theme that stands out in this year's report is how critical the "human factor" is in the security equation, both as part of the problem and the solution. The report deals with both external and internal actors, reporting that errors were at the heart of almost one in five (17%) breaches. Breaches occurred when employees failed to shred confidential information, when they sent an email to the wrong person and when web servers were misconfigured. The report points out that while none of these were deliberately ill-intentioned, they could all still prove costly.
But there's an often forgotten human factor that is causing many security breaches and that is the high frequency of developers creating code that contains security flaws, which lead to web application vulnerabilities, which in turn result in these incidents and breaches.
Application testing over the past 5 years has not shown much improvement in the number of vulnerabilities found and the same old flaws keep coming up time and time again. A 2017 Veracode report based on 400,000 application scans, shows applications passed OWASP Top 10 policy only 30% of the time. Astonishingly, SQL injections appeared in almost one in three newly scanned applications over the past 5 years, including last year.I say astonishing because SQL injections have been around since 1999. The fact that the same flaws, including SQL injections, are consistently found, is evidence that this "human factor" problem among developers is not being adequately addressed.
It is at this point that I need to stand up and shout that I am on the developers side of this argument. How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
That's what we do at Secure Code Warrior and we are seeing strong evidence that companies who build hands-on secure code training into their developers'daily lives are reducing the number of web application vulnerabilities created. For developers to write secure code, they need regular access to hands-on learning that actively engages them to build their secure coding skills. They need to learn about recently identified vulnerabilities, in real code, and specifically in their own languages/frameworks. This learning experience should help them understand how to locate, identify and fix known vulnerabilities. Developers also need a quality toolset in their process that makes security easy, does not slow them down and guides them in real time about good and bad coding patterns.
This is how we can make a tangible and positive difference to the number of web application breaches.
I am in violent agreement with Verizon that there is a need to increase security awareness training company-wide. My P.S. on this to CIOs and CISOs is "don't forget your developers!". These architects of your modern businesses can be one significant "human factor" who routinely generate access points for hackers, or they can be your first line of defense, your security heroes.
Effective security upskilling for developers could make a real difference to the outcomes reported by Verizon in future reports. It would be nice to see the 2019 report reflect developer security training as a key risk reduction strategy that companies can take. I'm an optimist, but I'd bet my house that if companies got their developers to learn how to avoid creating injection flaws, the number of web application vulnerabilities in this report would drop significantly.
Take a look at our platform in action to see how developers can upskill fast in an ideal, gamified training environment:
Play a secure coding challenge
Visit our free learning resources
How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
The 2018 Verizon Data Breach Investigations Report is once again a great read that keeps us up to date on cybersecurity, including current cybercrime trends and incident drivers, analysis and insight that can help organizations mature their security program. This year the Verizon investigators analyzed more than 53,000 incidents and 2,200-odd breaches, and there are many tangible takeaways about what to watch out for and what not to do, as well as valuable recommendations on where to focus security efforts. The 2018 report feels like it has evolved with the times, relevant to a wider business audience as security impacts spread, and is increasingly recognised as a mainstream business problem.
Among many interesting findings, the 2018 report verifies that most hacks still happen through breaches of web applications (there's even a cool interactive chart that shows this).
Web application attacks consist of any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. It is notable that the number of breaches in this pattern is reduced due to the filtering of botnet-related attacks on web applications using credentials stolen from customer-owned devices. Use of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi (more on SQL later...).
One theme that stands out in this year's report is how critical the "human factor" is in the security equation, both as part of the problem and the solution. The report deals with both external and internal actors, reporting that errors were at the heart of almost one in five (17%) breaches. Breaches occurred when employees failed to shred confidential information, when they sent an email to the wrong person and when web servers were misconfigured. The report points out that while none of these were deliberately ill-intentioned, they could all still prove costly.
But there's an often forgotten human factor that is causing many security breaches and that is the high frequency of developers creating code that contains security flaws, which lead to web application vulnerabilities, which in turn result in these incidents and breaches.
Application testing over the past 5 years has not shown much improvement in the number of vulnerabilities found and the same old flaws keep coming up time and time again. A 2017 Veracode report based on 400,000 application scans, shows applications passed OWASP Top 10 policy only 30% of the time. Astonishingly, SQL injections appeared in almost one in three newly scanned applications over the past 5 years, including last year.I say astonishing because SQL injections have been around since 1999. The fact that the same flaws, including SQL injections, are consistently found, is evidence that this "human factor" problem among developers is not being adequately addressed.
It is at this point that I need to stand up and shout that I am on the developers side of this argument. How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
That's what we do at Secure Code Warrior and we are seeing strong evidence that companies who build hands-on secure code training into their developers'daily lives are reducing the number of web application vulnerabilities created. For developers to write secure code, they need regular access to hands-on learning that actively engages them to build their secure coding skills. They need to learn about recently identified vulnerabilities, in real code, and specifically in their own languages/frameworks. This learning experience should help them understand how to locate, identify and fix known vulnerabilities. Developers also need a quality toolset in their process that makes security easy, does not slow them down and guides them in real time about good and bad coding patterns.
This is how we can make a tangible and positive difference to the number of web application breaches.
I am in violent agreement with Verizon that there is a need to increase security awareness training company-wide. My P.S. on this to CIOs and CISOs is "don't forget your developers!". These architects of your modern businesses can be one significant "human factor" who routinely generate access points for hackers, or they can be your first line of defense, your security heroes.
Effective security upskilling for developers could make a real difference to the outcomes reported by Verizon in future reports. It would be nice to see the 2019 report reflect developer security training as a key risk reduction strategy that companies can take. I'm an optimist, but I'd bet my house that if companies got their developers to learn how to avoid creating injection flaws, the number of web application vulnerabilities in this report would drop significantly.
Take a look at our platform in action to see how developers can upskill fast in an ideal, gamified training environment:
Play a secure coding challenge
Visit our free learning resources
How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.