software security in 2016

Why in 2016 Software Security is as Big of a Deal as Ever

Sep 06, 2016 By Kevin Beaver

Year after year, new studies come out from popular vendors and research institutions underscoring that we have quite a ways to go with this thing we call security. Outside of the malware threat that grows a bit more complicated each year, the studies show that we continue to miss the bar in terms of protecting critical systems and sensitive information assets. In a nutshell, we’re missing the basics. That is, the flaws that we already know about and we have solutions for but haven’t yet found the time or political backing to resolve. Read why in 2016 software security, even basic application security, is still as important as ever.

2016 Software Security Weaknesses:

In terms of software and application security, numerous issues are widespread in any given network environment. Such weaknesses include:

  • SQL injection that provides direct connectivity into the database
  • Weak passwords and password enforcement mechanisms that facilitate password cracking and unauthorized access
  • Local file inclusion that allows attackers to access local system files
  • Cross-site scripting that allows attackers to glean information from application users
  • Buffer overflows that facilitate remote shell access or denial of service
  • Default and test files left lying around on servers that contain vulnerable/exploitable code
  • User session management weaknesses that allow attackers to take over user login sessions

In many cases, these issues are uncovered through vulnerability scanning, penetration testing, or source code analysis. However, in a lot of instances, people have yet to acknowledge the problems. Ignorance is bliss but only until you get breached. At that point, you’re forced to find and fix the issues that should have already been addressed.

 

When you combine these challenges with the lack of security knowledge on the part of many developers and QA professionals, it’s a recipe for a breach and lawyer involvement, not to mention subsequent investigations and ramped up audits. None of that is fun, or cheap. Why not spend your time, money, and efforts on preventative security instead? Take a look at your Web applications, mobile apps, and client/server programs. Even those seemingly innocuous marketing websites and content management systems have flaws that can leave deep scars if used against you.

2016 Software Security

 

 

Test now. Test ongoing. Most importantly, be persistent in your efforts.

jumping 1

To read Kevin Beaver’s “Common Oversights in Mobile App Security” click here.

The following two tabs change content below.

Kevin Beaver

Information Security Consultant at Principle Logic, LLC
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 27 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached via his website at principlelogic.com and you can also connect with him on Twitter and on Youtube.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.