5 reasons why security is harder today than a decade ago

As I prepared for my presentation on "The Application Security Landscape" for HP Protect conference, (in one slide, even!) my mind began to wander in a lot of different directions. Broad topics will do that for you. One thought that occurred to me is how application security seems harder now than it did 10 years ago in many ways.  Here are my top five reasons why.

 

DC cherry blossoms.pngOld vulnerabilities remain stubbornly prevalent

 

Every year, HP publishes the Cyber Risk Report. And each year, Cross-Site Scripting shows up big. There's nothing that illustrates this point quite like the fact that almost half of the web applications we tested last year were susceptible to some form of a nearly 20-year-old vulnerability. There's a simple reason why this old vulnerability is still creating havoc ...Cross-Site Scripting is not easy to prevent. There are too many parameters to check, and not enough time to check them all. Need more proof? Check out its OWASP Top 10 consistency.

 

The application vulnerability universe continues to expand

 

It's simply the nature of applications that the introduction of new technologies creates unintended pathways that can be leveraged for malicious purposes. We’ve seen this from the introduction of Javascript to Web 2.0 and beyond.

What really complicates things is that it's not just the new stuff that's vulnerable—older technologies are showing a remarkable propensity to stay vulnerable.  The popular example is JAVA, but there are more, of course. FLASH springs to mind. So does PHP Injection, for that matter.

Combine these factors with an explosive rise in research, the rise of mobile applications, automated hacking tools, criminal activities, putting a web front end on everything, and on and on… well, you get the picture. There's always going to be something new, or even old, to worry about.

 

 

Access to information

The market for vulnerability information, especially regarding critical ones, has exploded. One reason is the rise in bounty programs...organizations or groups that pay bounties (large sums of cash) for disclosing vulnerability information. HP does this via our Zero Day Initiative (ZDI) group, rewarding security researchers for responsibly disclosing vulnerabilities.

On the dark side of information sharing is a growing black market where nation states, organized crime and even software companies all compete to purchase undisclosed vulnerability information. Hackers have a plethora of tools available to advance their hacking, and more tools seemingly emerge every day. Long story short...getting critical vulnerability information has become easier for the bad guys, especially if they are willing to pay for it. This has all made life more difficult for security teams.

 

 

Cyber-warfare

Unfortunately, cyber-warfare offers malicious evil-doers with global aspirations the biggest opportunity to level the playing field with traditional superpowers. It's much less expensive than traditional forms of attack, it can be conducted remotely, and while “not yet” guilty of causing huge amounts of real world damage, it has the potential to do so. When you realize that most critical infrastructure was never intended to be web-enabled, and now it suddenly is, you can see the true potential scope of this problem.

 

 

Lack of standards

I don't necessarily mean legislation here. What I'm really getting at is more abstract. There's simply no systematic way to accurately define application security risk. There are too many subjective factors, too many variables and too many opinions. Organizations know they need 'something' to remain secure, the 'what' is not always so easily revealed. In fact, it’s a continued challenge for security operations teams to source real-word business reasons and metrics that help sell the need for application security.

 

What's Better?

 

Is it all doom and gloom? Of course it’s not. Security firms are getting much better at tracking down and naming the sources of attacks. This fact alone still has the power to shame nation states into...ok, they just want to cover their tracks better. But, it's a start. And Snowden opened a Pandora’s Box that opened everyone’s eyes to the reality of cyber-warfare in a publically conscious way that Stuxnet simply didn't. Security products also communicate in a much better and more collaborative manner than even five years ago. (I encourage you to read this datasheet to learn about the communication capabilities of HP ArcSight Application View) This increased communication leads to better results and fewer false positives. So that's good. And even with the need for better metrics, cyber security is never again going to have to be shown to be necessary.    

 

If you want to hear more about my thoughts on application security, join me at HP Protect Sept. 16-19 in Washington D.C.

 

HP_Protect_Register_Now_600x60_Static.jpg

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation