When penetration testing teams evaluate code, the message is the same: There are vulnerabilities from coding errors present as a result of developers not using industry-proven security protocols. The dangers of unsecured code can be devastating for organizations that find their company data or customer data to be easy targets for hackers.
Is your organization aware of the dangers of unsecured code? Do you know where you are most exposed and what to do about it?
How Secure Coding Gets Overlooked
There is ongoing pressure for developers to write more and more code, whether it is to get applications into the cloud, improve customer experience or improve workflow processes. With this in mind, security training can be a daunting task for developers, because it takes so much time away from their development deadlines.
Where Do Coding Errors Show Up?
Web applications are typically the biggest interface between companies and their users – both internal and external. When security is neglected at the developer level, applications can become very desirable targets to hackers. Successful exploitation of a vulnerable application can expose sensitive customer and company data, result in monetary losses, and cause permanent damage to a company’s reputation. These weak points can show up in the most common work systems and processes.
For example, in one penetration test, a company was notified that a coding error had opened a hole in its uninterrupted power supply (UPS) system. Ponder that for a moment, and think of the potential ramifications of that mistake. First and foremost, the people that run the UPS systems do not think about security, unless it is of a physical nature, so they are likely not equipped to handle the breach. Meanwhile, bad actors could have changed the default passwords, disabled audible alarms, modified the nominal input/output voltages and frequencies, or even shut it down remotely.
Specific Dangers of Unsecured Code
The FBI recently reported that the number of complaints about cyberattacks is between 3,000 and 4,000 a day. That represents a 400% increase from what they were seeing before the pandemic. Interpol is also seeing an “alarming rate of cyberattacks aimed at major corporations, governments, and critical infrastructure.” In addition, the Ponemon Institute reported in a 2021 study that the average total cost of a data breach increased by nearly 10% to $4.24 million, the highest ever recorded.
Furthermore, it is taking companies longer to identify and contain data breaches. According to some, it takes an average of 280 days, which contributes to the overall cost. Many of these breaches are related to unsecured coding practices.
According to Forrester, web applications were the number one attack vector, yet there is little being done to train developers on how to avoid the dangers of unsecured code. In fact, we find that only 20% of newly hired developers have received secure coding training! That’s shocking, given the fact that injection vulnerabilities have been at the top of the OWASP Web Application Security Risks for more than 14 years.
More and more applications are requiring personal data, while at the same time, new regulations mandate the protection of sensitive data. This calls for more intensive developer training than ever before.
OWASP and Other AppSec Training
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. There are three new categories in the OWASP Top 10 – 2021 list just released:
- Insecure Design
- Software and Data Integrity Failures
- Server-Side Request Forgery.
There are four categories with naming and scoping changes and some consolidation of categories. See the comprehensive list of coding languages and topics covered in Global Learning Systems’ application security training:
How does developer training, like the OWASP Top 10, address the real-life dangers of unsecured code? Let’s reflect on the Capital One data breach incident that exposed the records of almost 106 million customers. The type of cyberattack was a Server-Side Request Forgery (SSRF), which is a trick used to make a server execute unauthorized commands on behalf of a remote user. It allows the user to treat the server as a proxy for requests, thus gaining access to private endpoints. SSRF is new to the OWASP Top 10 this year, ranking at #10.
Secure Coding Training for Your Developers
Secure coding training is critical, but how that training is developed and presented can make a tremendous difference between just “checking the box” – and training that yields real results. Developers benefit most from a hands-on training program that is to-the-point and interactive. Effective AppSec training teaches them to think like a hacker while analyzing attack surfaces in various applications – then recreate their steps and apply security code fixes to remediate vulnerabilities.
GLS, in partnership with Kontra Application Security, offers SecureDevTM AppSec training created by developers using these critical learning principles. The revolutionary training experience presents real-world security incidents, designed with developers’ needs and learning styles in mind. The web-based simulations offer accelerating application security training and software security education through interactive training scenarios with power, speed and scalability.
Each scenario in the SecureDev training is based in the developer’s own coding language, which provides a unique learning opportunity for the developer to look into the code and identify the real-life vulnerabilities. He/she can then correct the issue to complete the scenario.
Try the SecureDev application security training now with these free training exercises.