Lesson Learned? Not Yet.
This past week a spate of new reports came out on the latest ever-rising (and alarming) security statistics. The Ponemon Institute reported that the average cost of a data breach has reached $4M. Akamai noted that there was a 25.2 percent increase in web application attacks. And all this comes during the same week we learned that cyber attackers hacked into the Democratic National Headquarters (DNC). While all of this information is important, and dare I say, sexy in the context of technology industry news, what’s the point of all this information? If it’s to educate us as technologists, to get smarter about how we’re doing things, it seems we’re not getting the lesson. Why is that?
Businesses—at least here, in the United States—are motivated by dollars and cents. We have it ingrained in us that speed is everything. The faster we can churn something out and get it to market, the faster we get to revenue. But the reality is this is prompting many to release products or applications that haven’t been rigorously tested. Instead, they’re deemed good enough, and we’ve essentially become the patch generation, relying on regular updates to ‘make it right.’ According to Trustwave’s 2016 Global Security Report, 97% of applications tested had one or more security vulnerabilities. To make matters worse, a Forrester study reveals that less than fifty percent of third-party code is tested for quality and security in development.
Meanwhile, the cost to change or fix issues in new product or service development increases significantly as you move farther along the DevOps lifecycle, as you can see from the Agile Modeling Cost of Change Curve. Also worth noting: Breaches identified within the first 100 days cost companies $1.15M less than finding a breach after 100 days, according to the Ponemon study.
You’d think that with this kind of information surfacing, we would take a closer look at what we can do to bolster our security posture. So while security testing for DevOps is the number six strategy on Gartner's Top 10 list of how to battle cyber security issues, some are not getting the memo. Unfortunately, the Cyberthreat Defense Report notes both vulnerability assessment/management and penetration testing were down substantially. Add to that, it’s been widely reported that there will be a global shortage of cybersecurity professionals by 2019.
Clearly we have more work to do to learn the lesson that we need to take cybersecurity seriously. That’s why it’s timely that Cisco just announced a $10M scholarship to counter the impending security talent shortage. In addition, some US senators have launched a new bipartisan cybersecurity caucus to educate politicians on cybersecurity issues and strategies and how to address the expanding attack surface.
These are definitely steps in the right direction, but we need to do more, as technologists to battle the cyber war. It’s no longer enough to throw a firewall and other security gear into your network and call it a day. We need to reinforce our security infrastructures with more rigorous testing, and ensure high availability of inline (and out-of-band) security tools by eliminating downtime from their maintenance, upgrades, or failures. And, we need to be disciplined about thoroughly testing devices and applications before releasing them into the wild, and not relying on a model of versions and patches. To learn more about how test and visibility can strengthen your applications and your security stance, visit our website.