In its April 2014 Internet Security Threat Report, Symantec declared 2013 the "Year of the Mega Breach". Supporting their findings, the authors noted rampant Distributed Denial-of-Service (DDoS) attacks, that 77% of all public web sites scanned as a part of the study were identified as vulnerable with one in eight of those affected by known critical vulnerabilities, and that the average time to patch published critical vulnerabilities was estimated to be four days. While one might rightly wonder what moniker 2014 could possibly have earned given the cyber security dominated headlines, any shred of optimism was quickly dashed with the recently released PwC Global State of Security 2015. Their findings identified that security incidents increased by 48% in 2014 with a compound annual growth rate (CAGR) of detected security incidents reflecting a year-over-year increase of 66% since 2009, that 92% of all incidents experienced average losses of $20 million or greater, and…that information security budgets were on average cut by 4%. Disheartening yes, but don’t despair as the cyber war is not yet lost!
Indeed, those choosing to deploy or otherwise vested in maintaining e-commerce sites should be given pause. There are many serious concerns in regards to engaging in such business, despite fanciful wishes of "flying under the radar" due to business size or outsourcing payments. And yet there is also no lack for industry guidance as to secure development practices.
Consider the Open Web Application Security Project (OWASP) and its Top 10 Most Critical Web Application Security Risks, SANS CWE Top 25 Most Dangerous Software Errors, or CERT Secure Coding Standards; all of which are suggested to software developers as best practices to aid in complying with the PCI Data Security Standard version 3.0 requirement 6.5 mandating that secure coding guidelines and supporting training be established. The PCI Security Standards Council further offered guidance to e-commerce-based merchants in its January 2013 eCommerce Guidelines.
So, what’s the problem? Too often it is one of ill-considered practices that relegate security to an afterthought in lieu of availability and ease of maintenance. Sure, crafted technical vulnerabilities will arise that require remediation effort. However, the vast majority of software related security threats instead tend to result from development efforts not being effectively managed so as to early-on establish security requirements, review and address them throughout the development cycle, and to subsequently manage risk on an ongoing basis.
While it is true that integrating security best practices into timely development efforts is not for the faint of heart, adopting such a culture programmatically produces measurable dividends. It is not so much a case as requiring developers to become cybersecurity professionals as opposed to one in which the two must be capable of speaking a common language supported by ongoing dialog in order to reasonably coordinate a process or checks and balances. Should you hear that message as one of bureaucracy, here’s hoping that your incident response processes are strong.
UNLESS someone like you cares a whole awful lot, nothing is going to get better. It's not.
-Dr. Seuss, The Lorax
This blog was presented by Peter Spier, Managing Director, PCI and Risk Assurance at Fortrex Technologies.