When you look at the vulnerabilities that routinely get exploited by cybercriminals the most they generally fall into two broad categories. The first usually involves some sort of phishing attack in which an end user was essentially tricked into downloading a document or clicking on a link that infected their system with malware. The second class of attack is usually aimed at some well-known vulnerabilities that exist in an operating system, database or application.
Beyond continually educating users about how to recognize these threats there’s not much the average cybersecurity professional can do about phishing attacks except try to contain the damage. But in the case of software that contains known vulnerabilities, there is reason for optimism on two fronts. The first is thanks to advances in technologies such as machine learning algorithms it should become a lot easier to discover the vulnerabilities. The second reason for optimism is tied to the rise of a DevSecOps movement among application developers.
As an extension of the DevOps movement, DevSecOps is starting to gain credence because more developers are being held accountable for the quality of their code. Previously, application developers pretty much wrote code that was they deemed finish they threw over the proverbial IT operations team to deploy. After several contentious meetings with those developers, the IT operations teams would eventually get the code to a place where it could be deployed in a production environment. At no time, however, was anybody testing that software for anything more than basic compliance with a vague set of security policies. Because of that flawed process, there’s more software that can be easily exploited by cybercriminals than anyone cares to admit. The Verizon Data Breach Report for 2017 makes that point abundantly clear. Out of the 1,935 breaches analyzed, 88 percent were accomplished an all too common list of nine attack vectors. How this state of affairs came about continues to boggle the minds of IT security professional everywhere.
But now that more developers are being held to account there’s not surprisingly a lot more interest in including security testing within the larger application testing process. In fact, instead of waiting to the end of the application development process to do that testing there’s a concerted effort now to test applications at each stage of the build process. None of this means that all the code that’s already been deployed is suddenly going to be magically fixed. But it does mean that as legacy applications get updated or replaced the inherent level of security of those applications should substantially improve.
Of course, there will never be a such a thing as perfect security. But security professionals know that most organizations are their own worst enemies. The exploits that are being used to routinely compromise their security are not all that sophisticated. There are no legions of hackers with awesome programming skills stealing organizations blind. There are, however, thousands of programmers with just enough skill to launch an attack using code somebody else wrote. Most of those programmers are not getting rich. Most of them only do it because the criminals that hire them pay them more for their skills than anybody else. If they could be gainfully employed doing something else more interesting and rewarding, they probably wouldn’t be involved in cybercrime in the first place. There will always be cybercriminals. But right now, there’s so many of them because the current state of IT security makes it too easy. Thanks to the rise of DevSecOps, however, there may one day soon be a day when that’s no longer the case.
Get more information on DevSecOps at their website at http://www.devsecops.org/
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.