Concerning the latest data breaches on record, this past May was rather noteworthy. A host of organizations from around the world announced in fact, that they had experienced a data breach. From online retailers, travel booking sites, and high-tech startups, to social sharing sites, healthcare billing firms, and even title insurance companies, the long list of victims just got longer. Although there are many ways that organizations get breached, the end result is always the same. Consumers are negatively impacted, organizations lose their customer’s confidence, costly investigations take place, fines are possibly imposed, and attackers just found a way to fund their next operation. This endemic dilemma should have everyone asking, “What is it going to take to eliminate the root cause of this problem?”
Breaches come in all shapes and sizes, yet their causes usually come from a small number of different influences. For example, the simplest form of a breach is caused by losing the data. Most would be surprised by the number of lost or stolen laptops, smartphones, storage devices, and other pieces of media occurring throughout the world on a daily basis. The statistics are somewhat shocking. However, is this the primary cause of data breaches? Unfortunately, it’s not.
The second easiest way to gain access to private data has to do with stumbling across overlooked databases that unintendedly found their way to their internet, likely due to human oversight. In fact, some of the recorded data breaches have been caused by someone leaving a database wide open to the masses, and to attackers the like. However, this error is also not the primary cause of most data breaches observed today.
The loss of devices and the case of databases being left open to the public are simply experienced as part of the “human element”. Meaning that no many how times humans are told, trained, instructed, cautioned, warned, etc., these errors will continue to be made. Everyone agrees, humans are simply prone to making errors, no matter how easy it would be to avoid them. However, there is a primary cause of data breaches today that could be avoided altogether and by doing one simple thing – build more-secure software.
From the breaches mentioned in the first paragraph, in this case, none of them were due to someone losing a laptop, or from somebody forgetting that a database was left wide open to the internet. These types of errors don’t normally lead to mega-breaches, they’re somewhat uncommon, and no matter how many times people are warned, they will likely continue to happen. Instead, every breach mentioned herein was likely the result of an attacker exploiting a software vulnerability in a piece of code itself, or how that code was implemented.
There is no doubt that software developers (who happen to be human) will continue to make coding errors that lead to exploitable vulnerabilities within the code they develop. Although some believe it’s simply due to untrained or uncaring developers, it’s actually due to a nearly-immeasurable number of reasons. A simple analogy would be to compare “why errors find their way into code” vs. “why a person caught a cold”.
No matter how many times people try to determine “why they caught a cold”, the prospect of finding that one reason each and every time, is nearly impossible. The possibilities as to why a person caught a cold are nearly impossible to quantify. In addition, no one goes to the cold-reliever isle in the pharmacy trying to figure out why they caught a cold. Instead what they are looking for is a remedy for the cold, and relief for the symptoms they are experiencing.
Regardless of the reason why coding errors (leading to vulnerabilities) find their way into code, is there a single solution that can remedy the situation every time? Yes, there is. Application Security Testing (AST) solutions that integrate static testing (SAST), run-time testing (IAST), software composition analysis (SCA), and secure coding education (SCA) for developers, available in a single platform, are a complete reality today. Organizations must address their known and unknown vulnerabilities during the development process, before their applications reach the internet. As a result of this effort, your organization will significantly reduce their risk of software exposure, and considerably narrow the attack surface they face daily.
To learn more about Checkmarx Software Exposure platform and the solutions mentioned above, you can request a demo here.