Sunday, December 9, 2018

Quora has been hacked, but you can do these 4 things to avoid being breached

The quora hack proves that no company with web or mobile applications is safe from being hacked. Don't these words, uttered some years ago, sound so ironic and prophetic in this day and age:
There are only 2 types of companies: those that have been hacked and those that will be hacked.
Don't just disregard that line of thought because you think it is too dramatic or unlikely. The most recent stats about today's cybersecurity environment paints a bleak picture, especially for small and medium companies that don't have the financial firepower to spend millions on cybersecurity protection:
  • 61% of breach victims in 2017 were businesses with under 1,000 employees
  • It takes on average 50 days to recover from a cybersecurity attack
  • Large companies spend an average of $3.7 million annually to defend against cyber attacks
But, it's not only hackers that are interested in your application's security resilience (or lack thereof). A study by IBM Security found that cybersecurity resilience is now the second most important factor that tech buyers consider during their buying journey.

So answer this now: can you really afford to keep putting off taking action on your application's cybersecurity resilience?

If you agree that you need to take action to improve your cybersecurity resilience today, here are 4 actionable ideas you can start implementing right away:

1. Conduct vulnerability scans before every release

Black-box vulnerability scans are a bare-necessity before you ship every release of your web and mobile applications. This is because vulnerability scans will give you a great ROI when you compare the outcomes and certainty you will get versus the time and expense to execute them.

Vulnerability scans won't identify all security flaws in your application and cloud infrastructure, but they will likely identify the most glaring ones, especially if your scans test for the vulnerabilities listed in the OWASP Top 10.

2. Conduct a full penetration test if it's been more than 6 months

A full penetration test is designed to follow a rigorous testing regime to examine every nook and cranny of your applications and network infrastructure to detect security vulnerabilities.

If a vulnerability scan is like topping up the engine oil of your car, a penetration test is like a full engine rebuild. Our 121 Critical Cybersecurity Testing Guide lists many of the tests that our security testers execute during a penetration test.

While the tests in our guide will appear exhaustive to you, a really effective penetration test requires a security tester to follow more than just a pre-defined testing framework. That's why it is vitally important that your penetration testing plan is customised to the needs of your application and cloud infrastructure.

Without this customised testing plan many security vulnerabilities within your application and infrastructure may be left undiscovered.

Assuming that you are conducting regular vulnerability scans, we recommend that you conduct a full penetration test every 6 months or when 20% or more of your code base has been modified - whichever comes sooner.

By no means is this is a fool-proof plan that will guarantee that you never get breached. However, this system of cybersecurity testing represents the best balance between time, cost, effectiveness and ROI.

3. Inject security compliance checks into your software design & development process

We find this to be the most overlooked part of our customers' software development process. Most dev teams will take care of the finest technical details, but will never consider the cybersecurity impact of their decisions and actions. If this sounds familiar, I implore you to act now.

Download our Application Security Checklist For Software Developers and share it with your team. There are a number of questions within this guide that should be asked by your application architects and development team starting from the design phase and continuing during development.

Best practice in this area is to include AppSec validations within the official design and development approval process. By asking the right 10 questions before a line of code is written, you will be able to minimise the number of security vulnerabilities shipped with each release.

Prevention is always better than cure. Even in application security. Who would've thought, huh?

4. Remember: culture eats strategy for breakfast

Answer this for me: why do new airlines have more crashes per thousand flights than airlines that have been around for 50 years? It's because older airlines have a CULTURE of safety. A know-how and manner of operating that kneels at the alter the ultimate truth in the airline business: dead passengers don't buy air tickets.

Unfortunately for you and your team, you don't have 50 years to build a culture of security around your networks and your applications. You must play catch up and you must do it every day.

Building a culture of any type requires top-down action. And cultures are built on making sure everyone is doing the 1-percenters right all day, every day. If you need to be "pedantic" (or even draconian) for a while to ensure that your team understands why you're building an enhanced culture of security, then so be it.

Your reputation, your products and your entire team will be thankful that you instilled this new culture of security when they realise that you remain one of the few among your competitors that has never had to send that dreaded email to customers to tell them that they've been hacked.

Culture may take a long time to build and be the most difficult action item on this list, but it is that one intangible that comes closest to being that magic bullet that will keep your application's security resilience at a higher level for longer.

If you need a fixed-fee penetration testing quote and a customised pen testing plan that delivers you tremendous value, speak to us understand why working with Audacix for your pen testing needs will be a decision that delivers an amazing ROI for you, your brand and your users.

At the very least, download our guide to the 121 Critical Cybersecurity Tests you must conduct before shipping your web and mobile applications. It could just save your product and your company from much embarrassment and even the loss of you and your team's livelihood.
SaaS Brief