“85% of all software security exploits are attributed to just ten known vulnerabilities”
Pieter Danhieux, CoFounder/CEO of Secure Code Warrior discussed cybercrime with us. We learned all about common kinds of security vulnerabilities, best practices organizations should take to achieve property security compliance, and how teams can focus more on building security into their code.
JAXenter: Thank you for taking the time to talk to us! To call cybercrime a huge problem is an understatement. First things first, what are the most common kinds of security vulnerabilities?
Pieter Danhieux: 85% of all software security exploits are attributed to just ten known vulnerabilities. These security risks are identified and ranked in the OWASP Top 10. Some of these vulnerabilities include: Injection flaws, broken authentication, sensitive data exposure, external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities and insufficient logging and monitoring.
JAXenter: What are best practices for security that organizations should be aware of to help them achieve proper security compliance?
Pieter Danhieux: Some of the best practices for security that organizations should be aware of to help them achieve effective compliance include: upskilling the development cohort with engaging training, and it should take them out of the classroom and into a hands-on, relevant learning experience that helps them not just fix problems, but understand the importance of secure coding in general. Infrequent and irrelevant training is useless, and doesn’t help build a positive security mindset in developers.
Another key factor that drives a successful security program is ensuring key stakeholders are on-board and seeing the benefit, even if they are not security professionals themselves. It is important to communicate well with executive management, ensuring that top-level decision-makers understand that security processes are not ‘set and forget’ measures; they must evolve as rapidly as the technology being used and adapt to variable risks.
JAXenter: Which developer tools would you recommend to help enhance security and mitigate risks?
Pieter Danhieux: The best way to enhance security and mitigate risks is to start with learning the fundamentals. That said, developers don’t want to sit around listening to lecturers – they want to get their hands on stuff and try it for themselves. They want a focus on practical applications – something many training programs sorely lack. When asked to identify how company-provided training could improve, 30% of respondents revealed that they would like that training focused on practical applications, particularly authentic work scenarios. Developer training needs a human-led approach that offers guided learning pathways that are both hands-on and language:framework-specific. Role-specified upskilling gets developers highly engaged, and configurable learning modules that allow an organization to target developer learning towards specific vulnerabilities is a viable solution that will have a positive impact on reducing those vulnerabilities in the code being produced every day.
JAXenter: When it comes to security, embedded systems in particular are notorious for their wide-open vulnerabilities. Why is this: are the issues mainly in the hardware, software, or both?
Pieter Danhieux: It’s both, but it really comes down to how much focus is on security throughout the entire software build. Embedded systems are very intricate and task-focused; a car might have close to 100 groups of embedded devices, for example, each with a set task. Developers need very specific training on secure coding for these systems, and with so many moving parts, some issues can be missed.
They have very limited memory, and can be particularly susceptible to buffer overflow and memory corruption attacks, so these need to be addressed with care, precision, and dedication to the right skill-building in any developers working on them.
JAXenter: We often think about security disruptions in terms of financial loss and downtime, but the bottom line isn’t the only issue. What other things can a cyberattack affect?
Pieter Danhieux: One of the biggest problems is loss of reputation for a company. Long after fixing the problem, and getting everything back on track, it’s likely that you will still be dealing with a hit to your reputation for violating customer trust. That is hard to overcome, and 60% of small businesses close within six months following a successful cyberattack.
JAXenter: Finally, what is some recommended reading for a developer who wants to focus more on building security directly into their code?
Pieter Danhieux: If developers want to challenge themselves right away and learn about secure coding with real code, they can try out our Learning Platform for free. We also have free learning resources for developers, and cool plugins they can try out.
Oh, and The Unicorn Project is a must-read.