Credit reporting firm Equifax (EFX) reported Thursday hackers had accessed Social Security numbers, driver’s license numbers, and other vital personal data of 143 million people in the US.
Little was revealed about the details of the cybersecurity breach, other than it stemmed from an exploited web application. Even without specifics, Equifax’s hacking illustrates a larger trend in tech companies — a clear lack of focus on software security.
Verizon’s data breach report, a comprehensive state-of-the-union for internet security, found that web applications are responsible for the most breaches across industries. “Although attacks on web applications account only for 8% of overall reported incidents, attacks on web applications accounted for over 40% of incidents resulting in data breach, and were the single-biggest source of data loss,” the 2016 report says.
A web application is essentially any web page that interacts with you, instead of simply giving you text or images. For example, a user might input a query and get something back. One way to launch a cyberattack would be to tweak that query so the information that comes back is more comprehensive. One popular attack like this is an SQL injection attack, which might confuse a database into providing a full dossier of information when just being asked for a name or address.
“It’s not a surprise given the low priority”
While it’s not a secret that vulnerabilities in web applications are a problem, there is curiously little defense against them.
“Application security is really not a top priority for most security groups,” Rohit Sethi, COO of Security Compass, an ethical hacking and software security firm, told Yahoo Finance. “From our perspective, it’s not a surprise given the low priority.”
Much of this low priority comes from industry “best practices,” Sethi said. Often when someone wants to design a security program, they consult these practices and for many, there is little to no mention of application security. “You could be compliant with best practices and have nothing by way of web application security,” he said.
Instead of software security to defend against this kind of attack, the focus is often wholly on network security instead, which is usually considered the frontline for cybersecurity. This leaves software security as a job for automated testing tools and scans rather than a duty for trained human beings. “It certainly doesn’t approximate what a human being can do,” Sethi said.
“There’s this willful ignorance to make a better ‘fire code'”
Today, companies view getting hacked like getting a cold, something that will inevitably happen. With that mindset, the focus shifts from the prevention to the response.