Early this morning we released our annual State of Software Security Report (SoSS). The report includes the latest research on software vulnerability trends as well as predictions on how these flaws could be exploited if left unaddressed and what this may mean for organizations’ security professionals.
- Average CISO Tenure Continues to Decline: The expansive thread profile associated with software means the likelihood of CISOs being negatively affected by a high-impact security event have never been greater.
- The Rise of the Everyday Hacker: A simple Google search for “SQL injection hack” provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities. The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw.
- Decreased Job Satisfaction/Higher Turn-over for Security Professionals: Companies face a seemingly ever-expanding threat profile brought on by new applications and application updates containing easy to exploit flaws such as SQL injection (26% of all 2012 reported breaches according to Trustwave) creating a very frustrating work environment for security professionals.
- Default Encryption, Not "Opt-in," Will Become the Norm in Mobile: There is a staggering amount of transmitted data at risk, considering the growth of open (i.e. easy to eavesdrop) Wi-Fi networks in combination with the number of social network users (Facebook 1.2B; Twitter 190M tweets/day) and the number of mobile devices.
But this insight into a daunting landscape also provides opportunity. Each of our predictions are accompanied by recommendations on how to tackle these challenging trends. (Find them in the full report!) With deliberate strategies to remediate coding flaws, improve SDLC processes and protect your valuable data we can alter the course we're on and change the future. We want the readers of this report to leverage the data to build a business case for an application security program at their organization.
"As you read this report I urge you to consider your organization’s application portfolio and how you currently make decisions about the risks your organization is willing to take. The amount of risk an organization takes should be a strategic business decision—not the aftermath of a particular development project." - Chris Wysopal