The forgotten human factor driving web application security flaws
The forgotten human factor driving web application security flaws
![](https://cdn.prod.website-files.com/5fec9210c1841a6c20c6ce81/6022b762692b4e37915c271b_5fed018cffc6555b13e69a73_ReadingNotePad.webp)
![](https://cdn.prod.website-files.com/5fec9210c1841a6c20c6ce81/6022b762692b4e37915c271b_5fed018cffc6555b13e69a73_ReadingNotePad.webp)
The 2018 Verizon Data Breach Investigations Report is once again a great read that keeps us up to date on cybersecurity, including current cybercrime trends and incident drivers, analysis and insight that can help organizations mature their security program. This year the Verizon investigators analyzed more than 53,000 incidents and 2,200-odd breaches, and there are many tangible takeaways about what to watch out for and what not to do, as well as valuable recommendations on where to focus security efforts. The 2018 report feels like it has evolved with the times, relevant to a wider business audience as security impacts spread, and is increasingly recognised as a mainstream business problem.
Among many interesting findings, the 2018 report verifies that most hacks still happen through breaches of web applications (there's even a cool interactive chart that shows this).
Web application attacks consist of any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. It is notable that the number of breaches in this pattern is reduced due to the filtering of botnet-related attacks on web applications using credentials stolen from customer-owned devices. Use of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi (more on SQL later...).
One theme that stands out in this year's report is how critical the "human factor" is in the security equation, both as part of the problem and the solution. The report deals with both external and internal actors, reporting that errors were at the heart of almost one in five (17%) breaches. Breaches occurred when employees failed to shred confidential information, when they sent an email to the wrong person and when web servers were misconfigured. The report points out that while none of these were deliberately ill-intentioned, they could all still prove costly.
But there's an often forgotten human factor that is causing many security breaches and that is the high frequency of developers creating code that contains security flaws, which lead to web application vulnerabilities, which in turn result in these incidents and breaches.
Application testing over the past 5 years has not shown much improvement in the number of vulnerabilities found and the same old flaws keep coming up time and time again. A 2017 Veracode report based on 400,000 application scans, shows applications passed OWASP Top 10 policy only 30% of the time. Astonishingly, SQL injections appeared in almost one in three newly scanned applications over the past 5 years, including last year.I say astonishing because SQL injections have been around since 1999. The fact that the same flaws, including SQL injections, are consistently found, is evidence that this "human factor" problem among developers is not being adequately addressed.
It is at this point that I need to stand up and shout that I am on the developers side of this argument. How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
That's what we do at Secure Code Warrior and we are seeing strong evidence that companies who build hands-on secure code training into their developers'daily lives are reducing the number of web application vulnerabilities created. For developers to write secure code, they need regular access to hands-on learning that actively engages them to build their secure coding skills. They need to learn about recently identified vulnerabilities, in real code, and specifically in their own languages/frameworks. This learning experience should help them understand how to locate, identify and fix known vulnerabilities. Developers also need a quality toolset in their process that makes security easy, does not slow them down and guides them in real time about good and bad coding patterns.
This is how we can make a tangible and positive difference to the number of web application breaches.
I am in violent agreement with Verizon that there is a need to increase security awareness training company-wide. My P.S. on this to CIOs and CISOs is "don't forget your developers!". These architects of your modern businesses can be one significant "human factor" who routinely generate access points for hackers, or they can be your first line of defense, your security heroes.
Effective security upskilling for developers could make a real difference to the outcomes reported by Verizon in future reports. It would be nice to see the 2019 report reflect developer security training as a key risk reduction strategy that companies can take. I'm an optimist, but I'd bet my house that if companies got their developers to learn how to avoid creating injection flaws, the number of web application vulnerabilities in this report would drop significantly.
Take a look at our platform in action to see how developers can upskill fast in an ideal, gamified training environment:
Play a secure coding challenge
Visit our free learning resources
How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
Resources to get you started
Trust Agent by Secure Code Warrior
Discover SCW Trust Agent, an innovative solution designed to enhance security by aligning developer secure code knowledge and skills with the work they commit. It provides comprehensive visibility and controls across an organization's entire code repository, analyzing each commit against developers' secure code profiles. With SCW Trust Agent, organizations can strengthen their security posture, optimize development lifecycles, and scale developer-driven security.
Resources to get you started
Women in Security are Winning: How the AWSN is Setting Up a New Generation of Security Superwomen
Secure-by-Design is the latest initiative on everyone’s lips, and the Australian government, collaborating with CISA at the highest levels of global governance, is guiding a higher standard of software quality and security from vendors.
Women in Security are Winning: How the AWSN is Setting Up a New Generation of Security Superwomen
Secure-by-Design is the latest initiative on everyone’s lips, and the Australian government, collaborating with CISA at the highest levels of global governance, is guiding a higher standard of software quality and security from vendors.
SCW Trust Agent - Visibility and Control to Scale Developer Driven Security
SCW Trust Agent, introduced by Secure Code Warrior, offers security leaders the visibility and control needed to scale developer-driven security within organizations. By connecting to code repositories, it assesses code commit metadata, inspects developers, programming languages used, and shipment timestamps to determine developers' security knowledge.
The forgotten human factor driving web application security flaws
![](https://cdn.prod.website-files.com/5fec9210c1841a6c20c6ce81/6022b762692b4e37915c271b_5fed018cffc6555b13e69a73_ReadingNotePad.webp)
The 2018 Verizon Data Breach Investigations Report is once again a great read that keeps us up to date on cybersecurity, including current cybercrime trends and incident drivers, analysis and insight that can help organizations mature their security program. This year the Verizon investigators analyzed more than 53,000 incidents and 2,200-odd breaches, and there are many tangible takeaways about what to watch out for and what not to do, as well as valuable recommendations on where to focus security efforts. The 2018 report feels like it has evolved with the times, relevant to a wider business audience as security impacts spread, and is increasingly recognised as a mainstream business problem.
Among many interesting findings, the 2018 report verifies that most hacks still happen through breaches of web applications (there's even a cool interactive chart that shows this).
Web application attacks consist of any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. It is notable that the number of breaches in this pattern is reduced due to the filtering of botnet-related attacks on web applications using credentials stolen from customer-owned devices. Use of stolen credentials is still the top variety of hacking in breaches involving web applications, followed by SQLi (more on SQL later...).
One theme that stands out in this year's report is how critical the "human factor" is in the security equation, both as part of the problem and the solution. The report deals with both external and internal actors, reporting that errors were at the heart of almost one in five (17%) breaches. Breaches occurred when employees failed to shred confidential information, when they sent an email to the wrong person and when web servers were misconfigured. The report points out that while none of these were deliberately ill-intentioned, they could all still prove costly.
But there's an often forgotten human factor that is causing many security breaches and that is the high frequency of developers creating code that contains security flaws, which lead to web application vulnerabilities, which in turn result in these incidents and breaches.
Application testing over the past 5 years has not shown much improvement in the number of vulnerabilities found and the same old flaws keep coming up time and time again. A 2017 Veracode report based on 400,000 application scans, shows applications passed OWASP Top 10 policy only 30% of the time. Astonishingly, SQL injections appeared in almost one in three newly scanned applications over the past 5 years, including last year.I say astonishing because SQL injections have been around since 1999. The fact that the same flaws, including SQL injections, are consistently found, is evidence that this "human factor" problem among developers is not being adequately addressed.
It is at this point that I need to stand up and shout that I am on the developers side of this argument. How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
That's what we do at Secure Code Warrior and we are seeing strong evidence that companies who build hands-on secure code training into their developers'daily lives are reducing the number of web application vulnerabilities created. For developers to write secure code, they need regular access to hands-on learning that actively engages them to build their secure coding skills. They need to learn about recently identified vulnerabilities, in real code, and specifically in their own languages/frameworks. This learning experience should help them understand how to locate, identify and fix known vulnerabilities. Developers also need a quality toolset in their process that makes security easy, does not slow them down and guides them in real time about good and bad coding patterns.
This is how we can make a tangible and positive difference to the number of web application breaches.
I am in violent agreement with Verizon that there is a need to increase security awareness training company-wide. My P.S. on this to CIOs and CISOs is "don't forget your developers!". These architects of your modern businesses can be one significant "human factor" who routinely generate access points for hackers, or they can be your first line of defense, your security heroes.
Effective security upskilling for developers could make a real difference to the outcomes reported by Verizon in future reports. It would be nice to see the 2019 report reflect developer security training as a key risk reduction strategy that companies can take. I'm an optimist, but I'd bet my house that if companies got their developers to learn how to avoid creating injection flaws, the number of web application vulnerabilities in this report would drop significantly.
Take a look at our platform in action to see how developers can upskill fast in an ideal, gamified training environment:
Play a secure coding challenge
Visit our free learning resources
How are developers supposed to write secure code if nobody ever teaches them about why it's important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
Resources to get you started
Women in Security are Winning: How the AWSN is Setting Up a New Generation of Security Superwomen
Secure-by-Design is the latest initiative on everyone’s lips, and the Australian government, collaborating with CISA at the highest levels of global governance, is guiding a higher standard of software quality and security from vendors.
SCW Trust Agent - Visibility and Control to Scale Developer Driven Security
SCW Trust Agent, introduced by Secure Code Warrior, offers security leaders the visibility and control needed to scale developer-driven security within organizations. By connecting to code repositories, it assesses code commit metadata, inspects developers, programming languages used, and shipment timestamps to determine developers' security knowledge.
Trust Agent by Secure Code Warrior
Discover SCW Trust Agent, an innovative solution designed to enhance security by aligning developer secure code knowledge and skills with the work they commit. It provides comprehensive visibility and controls across an organization's entire code repository, analyzing each commit against developers' secure code profiles. With SCW Trust Agent, organizations can strengthen their security posture, optimize development lifecycles, and scale developer-driven security.