2018 Reflections and 2019 Predictions for Application Security
Data breaches and cyber-attacks have become an everyday reality owing, mainly, to the rise in volume, relevance, and centrality of data. The past few years have shown us that, big or small, profit-making or not, every kind of organization is vulnerable to data breaches and attacks. This, in turn, has led to the rising need and indispensability of cybersecurity. The swelling number of data breaches and cyber-attacks in 2018 have taught us and reiterated some important lessons. In this piece, we are going to reflect on application security in 2018 and predictions for 2019.
2018 Reflections on Application Security
Top players faced/disclosed data breaches, zero-day threats, and cyber-attacks:
- Facebook faced one of its biggest breaches since its inception, affecting over 50 million users. Attackers leveraged not-in-use features and multiple bugs to breach into Facebook accounts and platforms that allow Facebook to login such as Instagram, Spotify, Airbnb, etc.
- Marriott International and Starwood’s Guest Reservation Database was hacked by stealing access keys and decrypting it, resulting in confidential information such as passport details, credit card, and banking details, arrival-departure dates, personal information, etc. of 500 million customers being exposed. The company later revealed that this breach had impacted customers as early as 2014.
- Exactis, a marketing and data aggregation company, left 2TB of customer data on publicly accessible cloud storage, exposing 340 million customers’ data including 400 variables of personal characteristics.
- Panera Bread compromised credit card and other confidential information of 37 million customers by storing these in plain-text. The flaw was neither disclosed nor fixed until an expose was made 8 months later.
- Saks Fifth Avenue and Lord & Taylor: A bug installed in the Point-of-Sale systems of the two luxury brands led to the credit and debit card details of 5 million users being compromised. The company becomes aware of the breach only when a security research firm found and informed about the data being on sale in the black market.
- Delta Airlines and Sears Holding Corporation faced breaches that impacted 100,000 customers. The breach was a result of a security lapse in a third-party chatbot service that both companies were using.
- The Uber breach which compromised the personal information of over 20 million users from 2016 inwards was disclosed by the company only in 2018. The vulnerabilities were neither fixed nor were the customers informed about the breach for 2 years. The company tried to cover it up by paying off the hackers.
- Big players such as Microsoft, Java, Adobe Flash Player, Adobe Acrobat, etc. faced major zero-day threats in 2018. These companies were quick to release patches and work on fixing the vulnerabilities.
These major breaches apart, 50-60% of small and medium businesses in the USA have experienced some form of data breach or cyber-attack. A majority of these business owners did not know how to secure their apps and digital assets from such attacks.
2018 data breaches have reiterated the indispensability of application security for businesses of all kinds. Even big players like Facebook who pride themselves on their cybersecurity capacity and capabilities are vulnerable to attacks and breaches. It taught us these lessons:
- Web applications are only as strong as their weakest links.
- Your organization’s application security relies on your third-party service providers’ security. They must be chosen after careful consideration.
- Due diligence and a proactive attitude towards security along with a strong strategy are crucial for every organization.
- Disclosure and transparency in application security are highly valued by customers.
- Investment in cybersecurity and not just high-tech infrastructure and processes is vital.
- The big players can recuperate from breaches using their resources, infrastructure, and might. However, the same cannot be said about small and medium businesses.
In 2018, the cloud has emerged as a must-have technology and is being widely adopted by more and more organizations, not just small and medium businesses. Cloud is not limited to inexpensive storage and cheap servers anymore. It offers speed and scalability apart from cost-effectiveness. It empowers disruptive companies to innovate and grow by leveraging cloud-based tools and technologies. This, in turn, helps them gain a competitive edge in the market and compete with the big players.
However, cloud services and cloud-based technology come with their own set of cybersecurity risks and issues. Most providers of cloud services rely on Open Source Code and common infrastructure. So, one vulnerability somewhere could potentially set off a chain reaction, putting users of the organization’s technology/service and their users and so on at risk. This was the case with Sears Holding Corporation and Delta Airlines (discussed in the previous section).
Even though private clouds are growing continuously with companies building on-premise cloud platforms in their own data centers, it is noteworthy that over 60% of businesses in the US depend on public cloud platforms. Public cloud platforms, by definition, mean you are sharing the space with several others, putting your digital resources at risk. Whether public or private, the responsibility of putting in place cybersecurity measures and securing data and other digital resources rests is on the organization and not the cloud provider.
Business agility comes with a higher risk:
In the face of waning attention spans of users/customers/clients and a growing sense of impatience, speed and agility have become essential for organizational success. To achieve business speed and agility, organizations are adopting various technologies including cloud computing, cloud-based services, anywhere/anytime connectivity, IoT, software-as-a-service (SaaS), software-based automation, etc. Along with all the benefits, these technologies also bring big risks for the organization. Security personnel and developers often find themselves under immense pressure to ensure that the cybersecurity measures do not reduce business agility.
2019 Predictions for Application Security
Managed services and specialists have a greater role to play: Most of the data breaches in 2018 reiterated that comprehensive and sound cybersecurity strategies along with regular scanning, penetration testing, and security audits of web applications could have saved millions of dollars for organizations. Automation, despite its lower time and hassle cost, will not be sufficient by itself and will need to be augmented with human expertise for the best results. By hiring the services and human expertise of certified security professionals through managed services, organizations will be able to be prepared for the unknown, including customs rules and customized strategies, better identify business logic flaws, and so on and use those human insights as a foundation to further improve the automation. Therefore, 2019 will see managed services and certified security specialists playing a greater role in application security and continuing to be a breeding ground of innovation for further automation.
Cloud adoption is not going to stop in 2019. This is a fact. Organizations will invest more in the cloud to revolutionize their web applications and processes. The growth of private cloud platforms will continue to surge, and organizations will work towards turning their data centers into cloud powerhouses. With many more cloud-related breaches and cyber-threats and the increasing cost of a data breach, organizations must and will invest time, energy, and resources on security data, digital assets, etc. on different cloud platforms.
The convergence of security and performance: Even though the trend has started already, 2019 will see a greater convergence of security and performance. Agility and performance do not have to be at loggerheads with security. Seamless application security that keeps agility and performance intact is available through comprehensive cloud-based security services such as AppTrana.
Hire a managed, cloud-based security service like AppTrana and ensure that your business agility, performance, and growth are not compromised for security and vice-versa.