Sam King, CA Veracode's EVP of Corporate Development, recently gave a webinar titled Disclosures 2012: The Vulnerability of Publicly Traded Companies. The webinar used CA Veracode's Study of Software Related Cybersecurity Risks in Public Companies, a featured supplement to the State of Software Security Report. In the webinar, Sam examined risk management and disclosure practices for public companies dealing with security weaknesses at the software and application layer.
At the end of the webinar Sam opened the floor for questions from the audience. We have highlighted a few of these questions below. Stay tuned for a follow-up "Part 2" post later in the week!
Q: Are these American companies only, or are there international companies as well?
King: The data set includes both US and non-US companies. The majority of these companies are US-based.
Q: Don’t many of these public companies depend on services like Gartner and others for gauging the risks they might be facing?
King: They do. Companies try to get smart on the topic of security in general and on the topic of application security specifically by reaching out to authorities in the space and industry experts such as Gartner, Forrester, the 451 Group, and a bunch of other analyst firms that cover this particular area. What is lacking is looking at things like what percentage of applications have vulnerabilities like SQL Injection or Cross-site Scripting, or how many SQL injection vulnerabilities per MB of code a company can expect to see if they don’t pay their developers at all. If I do pay my developers, how quickly can I expect to see these vulnerabilities go away? What we’ve been lacking is quantitative information that helps inform the debate around application security and increase awareness about application. That is what we are trying to fulfill by means of our State of Software Security reports. We want to take this data and use it to shape the conversation around application security so that our attention gets focused on the right things and our investments get made in the right areas.
Q: What is the most common hack that actually results in a data breach or loss of data for a public company?
King: The data that we have shared in this report is talking about the latest vulnerabilities that exist in software applications. According to the Web Hacking Incident Database, the number two root cause is SQL injection. After SQL injection is denial of service, and then you really start to see a tapering off of the types of issues that are causing these breaches. You see in very small percentages things like banking Trojans, brute force attacks, and more. Data from www.datalossdb.org shows a similar picture. Web is at 9%, which is a significant piece of that pie, and hacks, which could be either configuration issues or vulnerabilities in software applications, is at 32%. Together at 41% they compose a pretty big chunk of this pie chart that is caused by (or could be caused by) some weakness in your applications. That’s really telling you that if you are interested in preventing breaches, protecting data, or data loss prevention (DLP), one of the best ways to protect that data is to go secure the applications that touch that data and provide a pathway to that data.
Q: What are the financial implications if SEC filings are poorly worded? Other than investor confidence are there any penalties that the SEC is issuing?
King: Right now this is a guidance rather than something mandatory that has to be followed. Where the financial penalties come in is what you end up paying in terms of breach cost if a breach happens to occur and other fines that might get levied against you if you are subject to, for example, PCI. The other thing that you have to consider beyond fines and penalties is other types of downstream activities that you may have to engage in if a breach occurs. There is a precedence set by the FTC where they will file lawsuits on behalf of consumers when companies have lost consumer data as a result of these types of infrastructure weaknesses. Again, that is public information – if you go to www.ftc.gov you can actually see a listing of all the different lawsuits that the FTC has brought against companies. In certain instances, there are explicit descriptions that say things like “there was a SQL injection vulnerability in a web-facing application that led to the compromise of thousands of records and poses a problem for consumers.” When you see the language get so specific in these lawsuits, it means there is a great risk that if you are not preventing these vulnerabilities from occurring in your application, you open yourself up to having these types of lawsuits being filed against you.