Software security is improving, but this past year still saw hacks and security breaches. In 2015, companies were creating new tools or initiatives to make sure data and critical information were protected, but with a fair share of leaks and hacks, the wait for a solution to software security continues.
Unlike other approaches to security, a company called SourceClear started by raising funds to improve software security in October, saying that its software works inside a developer’s workflow and with a team’s tools, enabling visibility into the risks of using other people’s code in real time as the developers work.
Also released in October was Cigital’s most recent findings of its Building Security in Maturity Model, declaring that software security is in fact lagging. With the release of this study, the application security firm added the healthcare industry to its analysis, joining financial services, independent software vendors, and electronics. Gary McGraw, CTO of Cigital, hoped that these findings would get companies to “buckle down” and focus more on security in the months to come.
October was a big month for announcements, as the government also joined in on the fight for cybersecurity. The U.S. Senate passed a controversial cybersecurity bill known as The Cybersecurity Information Sharing Act (CISA) in October, and if the bill is signed into law, it would allow businesses and government agencies to share information related to hackers and their methods. Several organizations like Twitter, Yelp and Reddit, spent months trying to raise awareness about it and why it shouldn’t be passed.
Other companies were busy handling their own security issues, like Dell when it had to respond to concerns about a certificate called eDellRoot that was supposed to make things fast and easy for customers, but instead introduced a hole in security.
Instead of handling security issues, Docker was busy improving security. It had a lot of changes, starting in August when it introduced Docker Content Trust, which uses digital signatures to secure Dockerized content. In October, CoreOS and Docker, along with a group of industry leaders, wanted to create common standards for software containers through the Open Container Project, which included making sure they had a well-designed software container specification that was secure across all platforms. And, in November, Docker announced new security enhancements that safeguard and protect Dockerized distributed applications, without impacting the developer’s workflow.
To sum it up, Verizon released its 2015 Data Breach Investigations Report, which revealed that while cyber threats are getting more sophisticated, many cyber attacks still rely on decades-old techniques.
That being said, in June, cybersecurity firm Kaspersky Lab announced that it had experienced an advanced and stealthy attack on its own internal networks. Sony had to settle after its systems suffered a breach in November from hackers whom the company claimed were angry about the movie “The Interview.” That breach led to the release of personal data, and former employees say it happened due to company negligence. Toy giant VTech also saw a breach in November, which caused hackers to access 6 million children’s information. Experts say it was due to a lack of common steps to protect passwords.
The age-old battle of software security continues, and mobile applications pose even more problems for both the developers and the applications themselves. Experts say that the responsibility of securing mobile apps shouldn’t be on just the developers. Instead, security should be a coordinated effort between the business and development teams, and this is something to consider moving into 2016.