How Companies Can Stop Failing At Security

Cybersecurity has been one of the fastest growing components of the technology sector over the past five years as more companies find themselves under threat.

In its “21st Annual Global CEO Survey,” PwC found that cyberthreats have risen to the top of concerns for leadership, outstriping over-regulation as an issue facing their businesses. This comes as the number of breaches rose by 27.4 percent in 2017 as reported by a joint study from Accenture and the Ponemon Institute, costing targeted companies an average of $2.4 million when attacked by hackers.

In response to these concerns, the market has responded with a massive spurt of companies looking to offer solutions to hot button threats such as ransomware, phishing, breaches and application security. At the end of 2017, Gartner put out a report stating that the industry had reached a market cap of some $86.4 billion, and was expecting growth of 7 percent in 2018. Forecasts into 2020 and beyond have given the sector—and the venture capitalists backing cybersecurity companies—plenty to celebrate.

However, even as leaders in the security sector are developing defenses to high level threats such as zero-days and advanced persistent threats (APTs) that are traversing through the network, is the industry doing enough to defend against the low-hanging fruit that are leading to many of the most common breaches? In short, is the capital being raised to support these cybercompanies and budgets of customers for these solutions really going where it needs to go to keep us protected?

Why Does Maintaining Security Seem So Hard To Do Right?

One of the first questions that comes to mind when thinking about how security failures occur is to ask why they continue to occur so frequently from basic mistakes when the tools and practices for working more securely are easily available and known?

If companies are buying these advanced security products, why are there still so many breaches?

For starters, even as organizations know that security is important and many of them are putting money into being more secure, it is not their first priority.

“Even as a security business, security isn’t the most important thing. Making sales, keeping my customers happy, raising money, all those things have become before security,” said Georgia Weidman, founder and CTO of penetration testing and mobile security testing firm Shevirah.

Weidman comes from the security community with a background in a three-letter agency and years as a top pentester. However, when getting a business off the ground and products out the door, it can be difficult to keep to the security practices that even a professional like her knows that she should be holding to. This pressure to keep the lights on can lead to a lag in keeping up to date inventory of what she is using in her products and to address vulnerabilities, she said.

“It can be tough to deal with many common mistakes that can pop up in an organization” she said, noting that, “As a security person, how did I allow this sort of disaster to occur? But I can totally see how people do now.”

One of the issues that she points to as making security more difficult to maintain is that, as a company grows, it can be difficult to oversee all aspects of the IT and product development. New employees have different levels of experience, and each department has their own priorities. Getting everyone to maintain the same standards can feel like herding cats.

Product development often feels the brunt of this friction as engineering and security interests are not always aligned. The battle over security versus getting the product out the door can lead to tension within an organization, Weidman said. “It’s definitely a problem on peace and harmony within the company.”

“Engineers, they want to build stuff. They want to fix stuff. They want to do stuff with the products,” she said. “I don’t think your average developer at a company or somebody in the engineering department is actively trying to make security mistakes in their code. But they’ve learned at school to get the program to run and then you get an A.”

At the same time, “The security people, as a general rule, can’t really stand over everybody’s shoulder all the time.”

There are also pressures coming from the business side of the organization that Weidman said can keep vulnerabilities unaddressed. “From the business perspective, I think in a lot of cases they’re fixing something that to them doesn’t look broken. It’s like, well, it works. So what’s the problem? You know, it can kind of take a backseat.

“There is the sense that they can get away with not addressing security issues, telling themselves that, ‘We could be sold to a bigger company and be millionaires by the time anybody catches up on this,’” she added.

Effectively Focusing on the Most Pressing Threats to Security

Recognizing the difficulties in working securely within an organization, Weidman believes some of the priorities regarding where to focus security efforts have been misplaced.

During her recent talk at AppSec Europe, she argued that instead of attempting to stop many of the nation-state-level attacks that catch headlines, organizations should look to prevent attacks from phishing and known vulnerabilities. “We’re still not getting the basics right,” she said.

As a pentester, known vulnerabilities are the first thing that she goes after, noting that she can “pop them real fast.”

When attempting to breach an application, hackers turn to the OWASP Top 10, which includes a warning against using components with known vulnerabilities. Especially in the case of open source components, which can be used in thousands of products, a single known vulnerability can allow hackers to exploit multiple targets.

Thankfully, Weidman said, developers working with open source are making a good faith and intensive effort to take security more seriously.

Speaking of her recent experience at the AppSec EU conference, “Being more from the hacker world, I was really surprised just how passionate these people were about their open source web security and making sure developers knew how to develop well.”

Management Leading the Way Forward

Ensuring secure practices is a management decision that needs to be promoted within an organization, Weidman said, noting that one important step is to keep an up-to-date inventory of which components developers are using.

This is an essential aspect of security that can often get overlooked in fast-paced development environments such as teams working under a DevOps model, where engineering will simply go to resources such as GitHub to pull open source components that help them work faster and more efficiently. Unfortunately, if these teams are not using an automated solution to know which components they have, they will be unable to track which components have known vulnerabilities and can be used by hackers to exploit their products.

Possibly the most well-known cases of a lack of visibility over which components contain vulnerabilities was the Equifax hack. The attackers breached the company’s web application through a vulnerable version of the open source component Apache Struts 2, which had been disclosed to the public months before. However, since the company was reportedly unaware that it was using the vulnerable component, it fell victim after failing to implement the patch.

Adopting security technologies is one important step in the right direction, but it needs to be followed up with teaching developers how to work more securely. Weidman believes that organizations should be sending their developers out for training on how to code more securely.

“Most of the developers that I know who are not like specifically security developers are not even thinking about it. They just want to get the thing running,” she said. “Hopefully that’s changing somewhat in our current climate.”

Gabriel Avner

Avatar photo

Gabriel Avner

Gabriel is a former journalist who loves learning and writing about the cat and mouse game of security. These days he writes for WhiteSource about the issues impacting open source security and license management and training Brazilian Jiu-Jitsu.

gabriel-avner has 51 posts and counting.See all posts by gabriel-avner