A Lack Of Security Training Contributes To Growing Vulnerability Numbers
The number of vulnerabilities that exist in production software is growing rapidly. In 2019 alone, over 22,000 new vulnerabilities were discovered and publicly reported. Of these vulnerabilities, over a third have a proof of concept or exploit code available. This means that every day in 2019, twenty new vulnerabilities were discovered that could have easily been exploited by cybercriminals.
These vulnerabilities affected a wide variety of different products in a number of different ways. However, many of them boil down to the same mistakes being made over and over again. In fact, 40% of cyberattacks against large enterprises in Europe and North America used a single attack vector: cross-site scripting.
Most application vulnerabilities boil down to a well-known and well-understood programming error. A major reason that these vulnerabilities are still so common and impactful is a lack of security education for the people that need it most.
Over two-thirds of developers and IT professionals say that their organizations do not offer adequate training on application security. Secure coding — which involves working to develop code without these built-in weaknesses — requires an understanding of the types of errors that can place an application at risk.
Applications Can Have A Wide Range Of Vulnerabilities
Software is written by humans, and humans can make mistakes. As a result, applications have design and programming errors and other bugs. Some of these bugs can be used by an attacker to impact the security of the application and its users, making them vulnerabilities.
One of the main problems with secure coding is that there are many different ways for a program to be vulnerable. Some of the most common issues that arise in applications include:
- Buffer overflows: Buffer overflow vulnerabilities arise from a failure to (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/kTgVpzeB1lM/