It is almost impossible to comprehend why application security isn’t getting more attention. In 2014 alone, there were eight major breaches through the application layer, resulting in more than 450 million personal or financial records stolen. And we aren’t talking about small breaches at companies no one has heard of. Target, JPMorgan Chase, Community Health and TalkTalk are four examples of companies that have suffered breaches due to vulnerabilities in software.
With such high-profile breaches, you would think more people would be paying attention. But that’s not the case. Why? I’m not even asking why application security isn’t given priority at enterprises – though considering that these breaches are damaging businesses, it should be. No, I’m wondering why application security isn’t talked about more often.
When I’m at business functions or even social gatherings, I hear a lot of talk about the Internet of Things and cyberwar and attacks on critical infrastructure. The mainstream media regularly discusses and analyzes all of these topics. Comments on how we can protect ourselves from foreign cyberattackers or cybercriminals dominate these discussions. But these discussions almost never touch upon how the attackers are succeeding.
More often than not, vulnerable software plays a major role in the breach. Yet our attention is on the politics of the issue, not on the technology. I think it is because the average person understands the politics and the dangers of the breach, but often can’t talk about the “how” of the breach. Every time there is a breach, the media and our politicians focus on what was stolen, who committed the crime and what our response should be. As a result, the media also focuses on the “why” and the “who,” perpetuating the trend. The only way we can really stop these breaches is to shift the focus to how they happen and how they can be prevented. And that’s why application security doesn’t get enough attention. The news focuses on the story, which is the breach, not on the solution, which is application security.
It’s time we acknowledge the critical role software plays in our everyday lives, and then recognize that vulnerable software is the reason for many, if not most, breaches. Once businesses, and society as a whole, accept these facts, we can start talking about how we prevent breaches, rather than simply responding to them.