Let’s Discuss Application Security

Due to the proliferation and ease of access to the internet and mobile devices, cyber criminals have flourished in recent years. In 2013, according to Symantec, web based attacks climbed nearly 24% to 568,700 attacks per day.  Forbes speculated near the end of 2013 that close to 30,000 websites a day were being hacked. Nearly 67% of websites identified as distributing malware were legitimate business websites that had been compromised and their code exploited or manipulated to aid criminals in malware distribution. Nearly 97% of the attacks that utilized new “Zero Day” vulnerabilities were Java based.  The average time between the vulnerability discovery and the availability of a patch hovered around 19 days with an additional 4 day average for organizations to actually implement the patch. That resulted in nearly 23 days of exposure for unsuspecting organizations.

Zero days are difficult enough to combat on their own, but the hard truth is that a growing number of breaches occur because vital vulnerabilities in application code was either not addressed or was not addressed in a timely manner.  A recent study by an application security vendor named WhiteHat found that on average 86% of all websites tested had at least one serious vulnerability, and most of the sites had 56 serious vulnerabilities.  The average time to correct these vulnerabilities was 193 days, which resulted in high labor and remediation costs.  The decision to implement better secure coding practices into your company’s SDLC (System Development Life-Cycle) becomes easier as one considers that the average data breach costs organizations nearly $189 per record stolen in direct (man-hours, remediation) and indirect costs (Legal actions, brand name damage).

WhiteHat’s study also recognized that the “57% of organizations (reviewed) said they provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.” There appears to be a true financial benefit to organizations that attempt to build security into their application code and train their developers.