Several weeks ago, Verizon released the 2016 Data Breach Investigation Report. As always, media outlets, vendors and security experts began discussing the report’s key findings.
This year, there was a new debate — security professionals are questioning the accuracy of the report’s list of the Top 10 vulnerabilities, which Verizon claims are responsible for 85 percent of successful exploits. Critics point out that eight of the vulnerabilities listed are more than a decade old, while common bugs like those that plague Adobe’s Flash Player are nowhere to be found.
The best strategy is to harden the natural entry points — the applications.
The problem with the results appears to stem from Verizon’s research methodology for vulnerabilities and breaches. Methodology and accuracy notwithstanding, I question the wisdom of creating such a list at all. In the very same report, Verizon states that the other 15 percent of successful exploits that don’t come from the Top 10 vulnerabilities still represents a significant number of breaches. And while the debate rages on about what are the top vulnerabilities responsible for breaches, I argue that we are being distracted from the true issue: We need to think differently about protecting the applications that run our businesses and lives.
The past few years have seen a shift toward detect-and response-based security strategies. The Verizon DBIR does show that, despite huge investments in these areas, these strategies are not effective at protecting data. Attackers are shortening the time it takes to infiltrate a network and exfiltrate data. They’re doing so faster than defenders can detect an attack. The result is that attacks are identified too late, if at all. Or in Verizon’s words "The detection deficit is getting worse." More than 67 percent of exfiltration took place in days after the breach occurred. The report also showed that in 2015, 84 percent of exploits took days or less, but less than 25 percent of these were detected in that time frame.
What good is an alarm if it only goes off after a robber has broken into your house and stolen your stuff? The best strategy is to harden the natural entry points — the applications. Applications are inherently risky, because they are the gateway into your IT infrastructure.
The average $500 million enterprise has more than 3,000 applications. That’s 3,000 points of entry.
Applications are rapidly proliferating, according to the "2014 State of CIO" Report, the average $500 million enterprise has more than 3,000 applications. That’s 3,000 points of entry. And that was back in 2014. The average number of applications will only continue to grow as businesses and individuals rely more and more on applications as a point of innovation, differentiation and increased productivity. Yet, we are not architecting or building applications with the knowledge that adversaries will use applications as the path of least resistance to our data.
What the debate around the Verizon DBIR results highlights is the need for a new approach to security, one that is based on the realities of a software-driven world. As the world continues its march toward digitization, the problem of insecure applications will only increase, and businesses need to find a way to better address this issue. The key to this transformation is to align security teams and development, and to integrate secure coding practices into DevOps procedures. By shifting security into the development process, rather than relying on securing in the production phase alone, businesses will be able to reduce all types of vulnerabilities, and not rely on "Top 10" lists for patching efforts.
One of my favorite parts of working in the security industry is that, in the end, we are all working toward the same goal — safer environments. As a result, we have a culture built on creating open dialogues that allow vendors and security professionals to identify issues and self-correct.
The researchers at Verizon may have made an error in methodology when reporting on the top vulnerabilities, however, I’m sure they will improve for the next edition. As security professionals, we should take the same improvement path and reexamine how we approach securing the software that runs our world.
Chris Wysopal is chief technology officer of application security provider Veracode, which he co-founded in 2006. He oversees technology strategy and information security. Prior to Veracode, he was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990s, Wysopal was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified before the U.S. Congress on the subjects of government security and how vulnerabilities are discovered in software. He is the author of "The Art of Software Security Testing." Reach him @Weldpond.
This article originally appeared on Recode.net.