In the past I’ve asked “Why Appsec?” and then answered my own question – “Because Application-Layer Breaches ARE Damaging Businesses”. We are seeing more breaches due to application layer attacks than ever before – according to research done by the Department of Homeland security, 90 percent of security incidents are the result of exploits against applications. Yet somehow 3 out of 4 applications produced by software vendors fail OWASP Top 10 when first assessed, and 63% of internally developed applications are out of compliance with OWASP Top 10 when first assessed.
Application security simply does not get the attention it deserves. And even when a security team or company realizes it needs application security, the company often puts off starting a program. There just doesn’t seem to be any urgency around the issue despite recognition that the growing dependence on applications, coupled with the fact that companies have locked down the other areas of their infrastructure, makes applications a prime target for cybercriminals.
We need a stronger sense of urgency around this issue. As Chris Wysopal recently stated:
“Like a rapidly growing city, we’ve built our applications quickly and without regard for the fact they exist in a hostile environment. Every application that holds valuable data will be attacked, just like every car will drive on a slippery road and every person will be exposed to pathogens. We have to stop pretending we can keep the bad guys from attacking the code that protects our data. Applications run our critical infrastructure and our businesses, and as such they are a primary target for those looking to infiltrate businesses, critical infrastructure, personal devices and federal systems.”
How do we get after this monster problem? Well to start, you can create an application security program. Another way is to combat the vulnerabilities at their source. Vulnerabilities come from a variety of sources, but the source isn’t as important as how you go about making sure these vulnerabilities are not damaging your business.
Check out this gBook on “Combatting the Top 4 Sources of Vulnerabilities”. It provides information on where vulnerabilities come from, as well as you can quickly reduce risk by combatting vulnerabilities at the source.