So many enterprises still struggle with, or simply overlook software security. For every one brand that takes the appropriate measures to ensure security, there are countless more companies that have yet to make it a priority.
A (ISC)2 study, covered by CSO, recently found that hactivism (43 percent), cyber terrorism (44 percent), and hacking (56 percent) are among the top security risks for companies globally. Cybersecurity experts note ‘drive-by download’ is also a growing – very worrisome – attack technique that is currently making its rounds. As covered by CNNMoney’s Julianne Pepitone, NBC is the latest victim of the ‘drive-by download’ threat:
“The hack, which affected NBC.com and related sites for ‘Late Night with Jimmy Fallon’ and ‘Jay Leno’s Garage,’ infected visitors to the compromised sites with the Citadel Trojan. The potent strain of malware is used for cyberespionage and to steal bank account information.
Infecting computers with malware when they navigate to a website is called a ‘drive-by download,’ and cybersecurity experts say it’s a growing — and terrifying — attack technique. Users who are simply surfing the Web can unwittingly stumble upon a hacked website, which may look completely normal. Security researcher Dancho Danchev, who wrote a detailed blog post about the attack,, told CNNMoney the hack was both invisible to the average user and tough even for security experts to track.”
These new types of threats are growing rapidly, and as evidenced by NBC, they are getting increasingly harder to locate. We all know the detrimental risks associated with overlooking security, and we’ve seen many enterprises like NBC crushed by cyber-attacks like these. But why hasn’t the problem lessened? Why aren’t organizations taking the appropriate measures to protect their software? Rafal Los, of Infosec Island, says there are countless directions we can point the blame. However, Los believes the real problem lies within poor code quality:
“There are plenty of reasons we can blame these vast failures on … immature tools, cookie-cutter processes, poor sentiment from the enterprise leadership … blah blah blah …bottom line is it’s 2013 and companies big and small are still struggling with poor code quality, a negative dynamic between developer and security person, and other assorted issues.”
Los says when it comes to enterprises’ total quality management (TQM) strategies, the majority of developers are missing an important piece from their processes. They’ve likely honed in on functionality and performance quality, but have forgotten security. Los adds that finding a solution to this is the real challenge:
“I don’t see this being solved any time soon, unless we finally figure out a way to properly incentivize the whole of the organization to think ‘security’ as an integral part of everyone’s success, and collapse the 3 pillars of quality into one unit.
Does it function? - quality organization
Does it perform? - quality organization
Is it secure? - security organization”
Los believes if these three pillars of quality are collapsed into a single responsibility/QA structure, enterprise security will improve. However, code isn’t necessarily the only challenge businesses need to overcome. Derek du Preez, in CSO, says there is a massive skills shortage within the security field that needs to be addressed:
“Computerworld UK spoke to Richard Nealon, Co-chairman of the (ISC)2 EMEA Advisory Board, who said that there is a requirement and an opportunity for security professionals to become experts in protecting software.
‘There is a huge gap that seems to exist between information security professionals and software professionals. There’s a disconnect there. We see software vulnerabilities as the key issue, but we are not getting involved with it as a profession,’ said Nealon.
‘We are seeing a high number of incidents that have software vulnerabilities as a core component, but we don’t have the training to go in and get more involved in the development lifecycle. There is a huge opportunity for security professionals in the industry to get more involved.’
…Nealon also pointed to the study’s conclusion that there is a significant skills gap, with 56 percent of organizations claiming that their security team is short-staffed.”
Regardless of the underlying cause – people or code – it is critical for companies to identify risks as soon as possible. However, this is extremely difficult to do when internal resources are stretched thin, and it’s difficult to objectively test your own code. If companies aren’t able to prevent attacks, are they ready to respond to them quickly?
According to the (ISC)2 study, 15% of organizations say they are not able to put a timeframe on their ability to recover from an attack. Not mention, twice the percentage of respondents in the 2013 survey said their readiness has worsened. This puts businesses in an increasingly difficult situation.
The best solution for companies struggling with security before and after launch, is to seek an in-the-wild security testing solution that utilizes white-hat security experts. These experts can probe software for the most common vulnerabilities, and can be available to identify a root cause (and areas of prevention) if an attack does occur. The number of security experts available today with the right skills may be slim, but through utilizing crowdsourced security testing businesses can gain access to skilled, experienced security experts.
Big businesses with rapid growth and a heavy digital presence should be first in line to improve their security efforts. Unfortunately, most of them are not, and these companies are in danger of destroying their business’ reputation. However, with a solid in-the-wild testing solution companies are empowered with the security skill sets they need to ensure their software and their users’ data remains free of risks and vulnerabilities.
For more resources on security, download this free whitepaper: Security Testing – Is Your Application At Risk?