It is not uncommon for security vendors to release reports outlining the state of security. Verizon does it each year, and their report is seen as the authority on security statistics. Recently, Symantec released their “2015 Internet Security Threat Report” and what caught my eye is how prevalent the issue of application security was in the report. You’d expect a report from an end-point security vendor to focus heavily on malware and phishing – and the report did. However, the report also covered the rise of the branded vulnerability and how crucial application security is to improving overall security.
For example, one statistic highlighted in the report stated, “In 2014, 20 percent (1 in 5) of all vulnerabilities discovered on legitimate websites were considered critical, meaning they could allow attackers to access sensitive data, alter the website’s content, or compromise visitors’ computers”. That is a staggering number of critical vulnerabilities. We’ve found that many enterprises don’t possess full visibility into their entire web perimeter. As a result, many of these vulnerabilities will never be remediated and hackers can use them as the path of least resistance into the enterprise’s infrastructure.
The report also stated that high profile vulnerabilities like Heartbleed and ShellShock were interesting “because not only did they expose flaws in major components of Internet infrastructure, but they highlighted one of the dirty secrets of application development as well: code reuse”. Component reuse is a common practice among programmers as it helps them develop software quickly. The problem isn’t software reuse, it is lack of visibility into where components are used and what versions are in use. Veracode examined the use of components and the risk they introduce into the organization in a recent webinar with Securosis’ Adrian Lane: https://info.veracode.com/webinar-sans-whats-in-your-software.html
Application vulnerabilities were responsible for 8 high profile breaches in 2014. The follow quote from the report sums it up nicely:
“With minor fluctuations from year to year, the trend in the number of vulnerabilities continues upward. Remedies, workarounds, or patches are available for the majority of reported vulnerabilities. However, malware authors know that many people do not apply these updates and so they can exploit well-documented vulnerabilities in their attacks.”
What this tells me is that the need to keep up with the pace of innovation is increasing risk at enterprises all over the world. Symantec is an anti-virus company, yet even their report outlined the risk application vulnerabilities pose to enterprises. The report recommends remedying this problem with a combination of end-point on all devices and network security. It is clear that securing the network-layer and end-points is no longer enough. Enterprises need to scale their application security programs to meet the growing demand for applications, otherwise the infographic for 2015 breaches will span several pages instead of just one.