Now, more than ever, we must stop learning the hard lessons the hard way.
It’s a staggering example of “too little too late.” As the coronavirus pandemic spreads around the world, more and more of the world’s working population is staying at home. Around the world, a huge number of us put our trust in conference platforms, like Zoom. Because surely a global video-conferencing application would be secure, right?
Oops.
Welcome to the world of ZoomBombing. Mischief makers with nothing better to do caused severe disruptions by intruding on business, academics, healthcare, and personal conferences. And they continue to do so.
But the underlying issues, and their implications, are far more serious. Zoom’s existing (and unaddressed) privacy and security vulnerabilities were found and exploited by mischief-makers. And this is just the tip of the iceberg. This post exposes 3 critical application security issues, each of which, if unaddressed, can rapidly turn into a disaster for everyone involved. That’s why, now, more than ever, application security training is of urgent concern for corporations, their employees, and their customers and clients… in essence, app security affects everyone.[/vc_column_text][vc_column_text]
1. Now, more than ever, we need to provide application security training to the other 70% of app developers.
And no, we’re not kidding. We wish we were. But first, ask yourself: would you get on an airplane, knowing that the pilot is only 30% trained? Or that the aircraft is only 30% airworthy? Or that the security officers only screened 30% of your fellow passengers? No? Didn’t think so. Which begs the question: what the heck is happening the other 70% of the time?
The truth is unfortunate. 70% of app developers do not get the kind of training that could help ensure the security of their apps, leaving them open to security issues far worse than ZoomBombing. We’re talking about issues like:
- SQL Injection;
- Cross-Site Scripting; and
- Remote Code Execution.
7 out of 10 apps are developed by people with insufficient security training. Let’s really bring this home. Think of all the apps that are installed on your device(s). The average person has 60 – 90 apps on just one of their devices. If 70% of those apps are developed with insufficient security, the average person has 40 – 60 apps on their device(s) that are open to attack. Think: usernames and passwords, your personal and financial/payment information, your personal address book and social media contacts, even your home and possibly your loved ones. You may even have health-, professional-, or business-related information stored on your device(s). Once security is breached, all that data is up for grabs. We wish this statistic was fictional, we really do. But it’s not. It’s a frightening reality in our modern, tech-, and data-driven world.
2. Now, more than ever, it’s crucial to understand that only 56% of critical vulnerabilities and 45% of high-severity vulnerabilities are getting fixed.
Again, we’re not kidding. To say it’s sufficient to fix only 56% of critical vulnerabilities and 45% of high-severity vulnerabilities is akin to saying I live in an overcrowded city and I’m okay with half the front door missing. It’s kinda like figuratively setting out the welcome mat for a hacker, and just as figuratively inviting them in for tea. It’s a question of Urgent versus Important. Most app developers will tell you that they think app security is ‘important.’ But their actions (and their products) suggest that about half of them think application security is ‘urgent.’ The deeper lesson here is that while security breaches do make headlines, most of those headlines would be unnecessary if someone had taken responsible, urgent actions, and trained their app development teams to build security into their product(s).
3. Now, more than ever, it’s vital to stop the production of exploitable vulnerabilities in applications and address the issue(s).
More than half – 60% in fact – of all applications have a known exploitable vulnerability in production for more than 365 days. Imagine if an automobile manufacturer knowingly produced and sold their cars for over a year, even though the brakes failed randomly 6 out of 10 times. That’s what’s happening in the world of application security. The greater tragedy? End-users may or may not be aware of this vulnerability. And when they find out, the reality check comes a fraction of second too late.
Similarly, ignoring application security is giving the honor of signing the reality check…. to the hacker. By not training developers to build security into their applications, that’s exactly what’s happening.
Now, more than ever, it’s time to make application security the new normal.
Security breaches have now impacted the Social Security Administration, and even the World Health Organization. When ZoomBombing hit the news, the disruption to businesses and communities was global. It was hurtful to many people, and the repercussions are still being felt. But ZoomBombing is almost a joke when compared to the disaster that any major data breach can cause. Now, more than ever, it’s essential to provide effective and more-than-adequate training to our application developers.
You can help. Train your app developers to create products that not only do what they’re supposed to do but also protect the end-user and your business.
Click here to check out our Application Security Series.
Click here to demo our General Security Awareness course.
Due to the current COVID-19 outbreak across the United States millions are working from home, some for the first time.. This is why KMI Learning and Infrared Security have come together to provide you and your colleagues free home cyber security training, titled “Work From Home Securely: Security Considerations for Extended Telework”. Gain immediate access to this online video course.
[…] Read the full story by KMI Learning Blog […]