The Change We Need In The AppSec Badlands: My 2019 Predictions16th January 2019
2018 has been a mammoth year for cybersecurity professionals. Despite the warnings to take security more seriously, the constant press surrounding nurturing more security industry talent and general attempts at making organizations more cyber-aware, we are left staring at the smoking craters left behind by hundreds of cyberattacks, representing large-scale data breaches and consumer mistrust in some very well-known household names. In the first half of 2018 alone, 4.5 billion data records were compromised in 945 separate incidents.
I’ve said it before, many times: we can do better. However, the real battle we face isn’t against script kiddies, dangerous organized cybercrime syndicates, or mysterious hoodie-clad figures typing away on laptops - the fight lies in getting more people to care that these breaches are happening at all.
GDPR compliance is a good start, but it won’t have a huge short-term effect.
The European Union’s General Data Protection Regulation (GDPR) laws are now in full swing; a looming threat over organizations who don’t take data protection seriously. With huge fines applying for those found to be non-compliant, this was meant to act as a kick in the backside for companies to tighten their security practices, treat customer data with more respect and come up with a strategy to mitigate against cyberattacks.
Some organizations have been warned of huge fines to come, but we are yet to see true fallout as a result of failure to comply with GDPR. No bankrupting penalties, just a whole lot of pop-ups to click through for us web users. This is in part because legal processes take a lot of time, with a lot of opportunities to appeal - any companies that may have been made an example of are likely engaged in a months-, or years-long, legal battle. Ending a nightmare year for Facebook, they reported another data breach recently: an API bug exposing the private photos of 6.8 million users to 1500 unauthorized applications. It was found and patched within two weeks, yet data protection agencies and the public were only made aware of the violation months later. GDPR laws require notification of a breach with 72 hours, so it raises a lot of questions on just how influential and effective these laws really are at present.
And of course, breaches elsewhere have not stopped: November’s Marriott breach revealed a whopping 500 million data records were compromised, and, perhaps even more concerning, that the attackers had accessed their systems for four years before being discovered. It should be noted, however, that Marriott seems to be engaging in some damage-control: they’ve offered victims a free 12-month subscription to WebWatcher, a credit monitoring tool… but with 500 million records for hackers to sift through, it does remain to be seen whether one year will be enough time to monitor anything meaningful for most; it may be some years before your data is highlighted for unscrupulous use, after all.
Long-term, regulations like GDPR will drive positive change if they are enforced. When companies are hit with a significant financial penalty (or, indeed, class action lawsuits from customers whose data has been compromised) or profit downturn on a long enough scale, I believe we will see a frenetic focus on fortifying online databases from most companies.
Financial institutions will continue leading the way in short-term positive change.
It may not come as much of a surprise that financial institutions - as the gatekeepers of the world’s hard-earned cash - have some of the most stringent cybersecurity best practice policies, as well as end-to-end processes for reducing their risk.
A significant driver of this compliance comes from the PCI Security Standards Council, who remain committed to helping financial organizations implement viable security policy and uphold guidelines in all areas. They have been a force for good in helping this vertical achieve among the highest standards of security in payment software.
So, what are financial institutions doing differently to others? In my experience, they are generally more security-aware, dedicating resources to holistic training programs for not just AppSec professionals and pen-testers, but also their (typically very large and globally scattered) development teams. They ensure that top-level decision-makers understand that security processes are not ‘set and forget’ measures; they must evolve as rapidly as the technology being used and adapt to variable risks.
More organizations will transform their security pipeline.
Compared to other branches of IT, AppSec is relatively young. It’s hard being the new kid: you’re easily misunderstood and may not have formed the key relationships you need just yet. However, I believe with each passing year, it is getting easier for AppSec to find its place in even the most antiquated organizations that are resistant to change.
It has become more apparent that companies cannot make security compliance a final, last-minute step in their software processes. There must be checks and measures from point-to-point, with more concentration on aggregating data and providing more visibility to the executive levels of the business. Without this, security will remain out of sight, out of mind for most. And in that scenario, it is virtually impossible to gather the resources needed to plan for risk.
The good news is, more organizations than ever are spotting their own cyberattacks and working to fix them. The bad news? That process is taking an average of eighty-five days.
Pen-testing tools and manual code review is arduous, expensive and slow in a time where rapid innovation and feature production is a must in the technology sphere. Security awareness must carry through from the beginning: from the moment a developer writes the code in the first place.
Our industry will recognize the main problem: We need people to care more.
Here’s the thing: I could conservatively count twenty people in my network who have stayed in a Marriott hotel at some point in the last four years. With 500 million records stolen over that time, there is a good chance their data was part of that theft. Everything from current contact information, still-valid credit card numbers and passport information could be for sale right now on the dark web. However, their care factor was basically zero.
And, well, it’s easy to be complacent when in such a large-scale data heist, you’re essentially a needle in a haystack.
The real problem, though? The companies that have failed to keep their own customers’ data safe, face very little in the way of repercussions. Does their stock price take a hit immediately following the incident? You bet it does. Target, Equifax and now Marriott could all attest to that. However, a twelve-month overview shows the bounce back to normal is fairly swift. A couple of years later, and financially, all is forgiven.
Until there are serious repercussions: huge fines, tighter regulations and significant loss of business, AppSec will be an industry that must constantly fight to convey the severity of the growing cyber risks to which a company is exposed.
I fear it will get much worse before it gets better, so it is of utmost importance that we work to build security-aware developers and robust security cultures on the front lines of an organization’s tech teams. Keep it front-of-mind, and keep striving for a higher standard of software security.