New Survey Predicts The Rise Of The “Everyday Hacker”

New Survey Predicts The Rise Of The “Everyday Hacker”

It's so easy, almost anyone can do it. Hack, that is.

Easily accessible information will allow for those with only rudimentary technical skill to exploit such things as an SQL injection vulnerability, according to a new report from Veracode.

Veracode's research found that although SQL injection flaws are easy to identify and fix, 32 percent of web applications are still affected by these vulnerabilities. As a result, Veracode believes that as many as 30 percent of breaches in 2013 will be from SQL injection attacks, according to the report.

Security Bistro spoke to Chris Eng, vice president of research at Veracode, who said that with roughly 70 percent of software failing to comply with enterprise security policies, organizations are left playing catch-up.

“[They're] not focused on building in security early in the Software Development Life Cycle (SDLC). The main concern of development organizations is creating software that meets key deadlines,” said Eng. “They are not measured against security goals, and their priorities are tied to time to market, meaning that security concerns often get shorted. Also, telling programmers that their code contains security flaws is basically telling them they made mistakes. It’s simply a reflection of human nature that there is a significant amount of push back from the development organizations around security findings.”

Veracode's State of Software Security Report (SoSS) includes the latest research on software vulnerability trends as well as predictions on how these flaws could be exploited if left unaddressed and what this may mean for organizations’ security professionals.

The firm found that a simple Google search for “SQL injection hack” provided 1.74 million results (we tried the same search and only came up with 138,000 links). But there were a number of detailed videos with explicit instructions on how to exploit SQL injection vulnerabilities.

With hacking tools getting wide dissemination, Veracode found that the leading cause of security breaches and data loss for organizations is insecure software.

Eng said that in order for enterprises to stay ahead of the cyber criminals, organizations must work with security teams to create more rugged code.

“It is a shared responsibility which is made difficult because the two teams have competing goals. The companies that have the most success sharing responsibility are those with an executive mandate that secure coding is important and make an effort to build a working relationship between the development and security teams,” he said. “Making security testing self-service for development teams, having a simple process to get developers started and providing remediation guidance on specific flaws found are all part of building a better relationship between development teams and security teams.”

Still, this push to shore up software vulnerabilities can be a challenge, noted Eng. He said that working with a development team to remidiate application security flaws can be frustrating for security pros, leading to potential job dissatisfaction.

“This is particularly true when time-to-market concerns appear to always trump security concerns and the flaws being exploited are fairly easy to fix, ” said Eng. “The lack of qualified security pros puts significant limits on the amount of remediation support a single enterprise security team can deliver to their development teams. Some developers take the initiative to become a security 'champion' for their team, thereby reducing the burden on the security team, but unfortunately this doesn’t happen often enough.”

Veracode's report found that not only will the stress surrounding remedying these exploits lead to a decrease in job satisfaction and higher turn-over for security professionals, but it also portends that the average CISO tenure will continue to decline.

“Many developers have the tendency to assume security flaws are unexploitable rather than erring on the side of caution and simply correcting the flaw. In these cases, the security team may be pressured to demonstrate or rule out exploit scenarios when a two-minute code change could have eliminated the flaw altogether. When an enterprise has many more development teams than security pros it puts a limit on how much remediation can be achieved,” he added.

A copy of the report can be downloaded HERE (registration required).