2013 will bring more ‘casual' hack attempts on vulnerable organisations. Hackers are always getting smarter but they are also growing in numbers, first-time hackers are looking for easy targets, so even small and medium sized businesses (SMEs) need to be aware of online security. Simple security measures such as default accounts and passwords need to be a necessity.
Why is it happening?
"I rob banks because that's where the money is."
That's what Willie Sutton, a prolific bank robber, said when asked why he robbed banks.
In our case, the flawed code is the money. If there are any errors in the code it makes the whole software vulnerable to sudden crashes, data leakage and successful hacking attempts.
Essentially, hackers hack because companies don't test their software thoroughly enough which is like leaving your front door open when you don't want to get robbed.
Who is the target?
The recent Forrester report "Software Security Risk" commissioned by Coverity (2012) found that many organisations today still struggle with the most basic security flaws and do not have a holistic or strategic approach to application security. Staggeringly, only 17% of companies surveyed actually test during the development cycle and more than half do not audit their code before integration testing.
This resulted in 51% of respondents having had at least one web application security incident since the beginning of 2011. Plus, 18% of those respondents experienced losses of at least $500,000.
There were other problems that developers struggled with - such as the need for too much security expertise and high false positives - that slowed down the whole testing process, highlighting a skills gap of security in development testing, and development testing in security professionals.
What to expect in 2013
With more successful hacking attempts, hackers will get more confident and daring - targeting high-profile companies and institutions trying to get their hands on sensitive data.
Hacking will become one of the most widespread and dangerous forms of activism, encouraging more young people to join and participate.
Developers can play a crucial role in protecting software from hack attacks and other security weaknesses. During the development phase, limiting the number of primitives within code can make life much more difficult for hackers, increasing the time, effort and cost associated with exploitation and thereby reducing its likelihood.
However, as companies struggle to attract skilled IT employees, hacker groups may have more IT expertise at their disposal than the companies themselves, making it harder for them to protect themselves.
On the bright side, the hackers becoming smarter and larger in numbers will force companies to think more about what software they produce. Resulting in more investment in a thorough development testing processes. Therefore, there will be a rise in development testing awareness, which will help to move the whole development process forward.
The security breaches this past year gave further proof for the need to incorporate security testing as early as possible in the development process. Organisations can no longer afford to be reactive to security breaches. The PR backlash that a company may suffer after losing customer passwords can sometimes be even more damaging than anything a hacker might steal. In 2013, we'll see processes intended to avoid security vulnerabilities baked more fully into the development process.
By Chris Adlard, Coverity
NEXT ARTICLEMerry Christmas!»
Phil Muncaster reports on China and beyond