In recent weeks, data breaches seem to have suddenly become more widespread and far reaching across the globe. In Australia, the Office of the Australian Information Commissioner (OAIC) revealed more than 10 million individuals had their information compromised in a single incident. In Singapore, thousands of Red Cross blood donors had their personal information leaked. And in the US, another giant cloud data breach exposed the personal data of 80 million households. These are just a few examples of the latest string of attacks that demonstrate hackers are taking big swings at high-value targets.
To better understand the latest security threats and patterns, Verizon recently published its 2019 Data Breach Investigation Report (DBIR) based on real-world data from 41,686 confirmed security incidents and 2,013 data breaches spanning 86 countries worldwide. Once again, the study shows that web application attacks continue to be the most common attack vector for data breaches as well.
RELATED CONTENT: Why do the same vulnerabilties keep showing up?
This year, more than half of breaches associated with web application attacks involved attackers using stolen credentials. The report also revealed that financial services, healthcare, educational services, retail and manufacturing were the industries that are the most susceptible to web application vulnerabilities, among others.
All of this data compiled in Verizon’s yearly report is a good reminder for companies across all industries to re-assess the state of their application security practices. And while a new report from Global Market Insights reveals the application security market will witness rapid growth, many companies will need help overcoming internal challenges that impede adoption. To help, we have identified some of the most common roadblocks that prevent application security programs from getting off the ground:
Top Organizational Roadblocks to Securing Software
- Testing is too slow: Current security approaches that involve manual processes, such as penetration testing or manual code reviews are simply too slow and cannot scale to cover all business needs.
- Disconnected teams: Security and development teams are often at odds, as development teams lack security knowledge; and security teams lack development expertise to fix vulnerabilities.
- Technology isn’t built for security: Architecture, development and framework decisions are often made outside of security considerations, which can make security difficult to add on after the fact.
- False positives: Oftentimes when looking for vulnerabilities organizations experience a high rate of false positives and negatives, which come with hefty support costs to resolve those vulnerabilities.
- Cost: Keeping pace with securing the growing number of software applications has become cost prohibitive for many organizations. A lack of visibility into vulnerabilities makes it almost impossible to determine the true cost, and costs can also be compounded when managing multiple security providers.
Too often, organizations give up on secure application development based on any of the above roadblocks, and do not take steps to manage the people, budget and time needed to allocate against today’s application security risks. But without proper security measures and technologies in place, a host of problems can result for an organization including:
- Delays and increased risks: Delayed app releases occur with the late discovery of security flaws, or they are released with known risks, putting customers at risk
- Morale suffers: Because of delayed software release cycles, security teams can be seen as an impediment to developer release schedules
- Reputational damage: The cost of damages to brand, shareholder value, customers’ confidence and legal costs are all on the line during a security breach
New approaches in application security that incorporate automation, artificial intelligence technology and human intelligence can deliver more cost-effective, accurate application security testing. Software security that is integrated and automated throughout the Software Lifecycle (SLC) also means that more flaws will be found and fixed earlier, which will save time, money and resources for all involved.
Working this way reduces risk for every software security dollar spent and reduces the likelihood of a costly breach in a systematic and scalable way. On top of that, verified vulnerabilities eliminate false positives, resulting in a reduction of resources. And for the developer organization, increased education leads to more secure coding practices for future projects.
The bottom line? Businesses today need faster and more accurate security vulnerability identification and remediation to improve their ROI for security spending. And implementing the right technologies today will enhance credibility and trust for the customer for the long term. Web application security technology is here to stay, and it makes good business sense.