InfoSec 2016: WhiteHat says "security from within" key to tackling web vulnerabilities

WhiteHat Security's vice president, Ryan O'Leary, says "security has to come from within", explaining that "no vendor will be able to help you if you don't secure your software or web application from the get-go."

Security must be thought about from the point of inception, says WhiteHat VP Ryan O'Leary
Security must be thought about from the point of inception, says WhiteHat VP Ryan O'Leary

Speaking with SCMagazineUK.com at InfoSecurity Europe 2016, WhiteHat Security's  vice president, Ryan O'Leary, says “security has to come from within”, explaining that “no vendor will be able to help you if you don't secure your software or web application from the get-go.”

He suggested that people often assume that developers are clever enough to secure the systems they are developing. But that's more often than not, not the case.

The company has released its eleventh annual Web Applications Security Statistics report. Compiled using data collected from tens of thousands of websites, the report reveals that the majority of web applications exhibit, on average, two or more serious vulnerabilities per application for every industry at any given point.

Citing shocking statistics such as “86 percent of web apps we come across have level 4/5 severity security vulnerabilities” and even more worryingly, the average remediation time of these vulnerabilities is 200 days, and at an extreme it goes all the way up to 800. O'Leary says there needs to be a fundamental change in how we think about software security, saying that “it must become a part of the development process, but clients get put off due to do the added time in production, which equates to the development process becoming more expensive.”

The research from WhiteHat Security showed that no industry has mastered application security, and of the 12 industries analysed in this report, the information technology (IT), education, and retail industries suffer the highest number of critical or high-risk vulnerabilities per web application, at 17, 15 and 13 respectively. And it takes approximately 250 days for IT and 205 days for retail businesses to fix their software vulnerabilities.

Ilia Kolochenko, CEO and founder of High-Tech Bridge, commented to SC: “The easiest and fastest to hack, insecure web applications are becoming the major threat across the Internet. Aggravated by weak web server configuration and unreliable SSL/TLS encryption, vulnerable web applications are actively exploited by cyber-criminals to conduct APTs against multinationals and governments, as well as to extort ransom from individuals or SMBs.

In the near future, we can expect a significant and continuous growth of RansomWeb attacks against website owners, and ransomware attacks against website visitors. Actually, ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing.

Web Application Firewalls don't work in isolation from other security technologies anymore. Web application security requires a comprehensive approach, including Secure Software Development Lifecycle (S-SDLC), continuous monitoring, and regular manual or hybrid web security testing to complement automated vulnerability scanning.”

According to the “Window of Exposure” data in the report, another key metric organisations need to pay attention to is the number of days an application has one or more serious vulnerabilities open during a given time period. Across all industries, a substantial number of web applications remain always vulnerable. A few key highlights:

  • Information Technology (IT) - 60 percent of web applications are always vulnerable.

  • Retail - half of all web applications are always vulnerable.

  • Banking and Financial Services - 40 and 41 percent of web applications are always vulnerable, respectively.

  • Healthcare - 47 percent of web applications are always vulnerable.

“Since 2013, the average time to fix vulnerabilities has trended upward overall, but we've seen some great successes with customers who have embedded security into the software development process,” said O'Leary.

Discovering vulnerabilities in development is key to reducing vulnerabilities when the application is staged. Introducing source scanning, or SAST, has the potential to eliminate 80 to 90 percent of well-known vulnerabilities. We look forward to seeing how this report will evolve as security and development teams work together more closely around shared security and risk management goals.”

However it's not all bad news - according to O'Leary - major data breaches like LinkedIn, Tumblr, Experian, MySpace are all driving awareness of the need to quickly patch the holes created in a development environment.

O'Leary said, “As the costs of the data breaches continues to rise, it only spells bad news for those who choose not to patch their software”.

And WhiteHat as a whole, seem to be tackling the problem head on. O'Leary told SC of how the company has developed its own curriculum and entire on-going training department to teach its developers to make better, more secure code.

And it goes further than this - in an effort to try and both close the cyber-skills gap and find just the right people for its company - O'Leary told SC it tends to only recruit inexperienced school leavers and train them from the ground up. This helps it find the right people, and gives people more opportunities.