VULNERABILITY N+1. AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
As Americans, we love lists. That fact is self-evident when browsing our favorite blog sites, as many blogs start out with catchy headlines like, “The Top 5 ______ (fill in the blank).” The love of lists is rooted deeply in our culture. We loved the Top 40 countdown for generations when it came to the hottest songs on the radio. Every New Year’s Eve we anticipate the unveiling of the Top X of all types of erroneous information concerning the past year. David Letterman made a living with a nightly “Top 10 Reasons” segment of his show. Lists are concise, abbreviated, and fun. It’s no wonder why this adoration for lists is carried into how we approach cyber security. Every three years or so, we look for the unveiling of the OWASP Top 10 Most Critical Application Security Risks because it compiles all those nasty potential risks and vulnerabilities into one simple list.
Ah, if only cyber security were as easy as that.
Tried and True
This isn’t to sell the OWASP Top 10 short. There is a reason why the top 10 risks and vulnerabilities listed in the 2003, 2007, 2010, 2013 and 2017 releases rarely change. Those listed are known exploit methodologies that have been executed for years and will continue to be manipulated by hackers. In fact, a recent study this year showed that 25 percent of web apps are still vulnerable to eight of the OWASP Top Ten. This is why hackers continue to attack these same vulnerabilities. This alarming statistic is due to various reasons such as a lack of security resources, the growing complexity of multi-tiered application architectures and in some instances, apathy.
InfoSec in Years Past…
But think about where the IT industry was when the Top 10 list concept originated. The typical enterprise of that period consisted solely of the traditional data center that was hardware-dominated. Web application architecture was in its infancy and the concept of cloud computing was little beyond mere theory. Now contrast that era to the state of IT today as businesses and organizations scramble to compete in the race to digital transformation. The introduction of new technologies such as virtualization, software-defined networking, cloud computing and the proliferation of mobile computing present significant challenges for securing web application architectures today. Like today’s data center, the infrastructure that supports today’s multi-tiered web application sites is often comprised of hybrid conglomerates consisting of both on premise and virtual resources.
The impact of cloud computing alone on network operations is nearly mind-boggling. Companies are now able to deploy armies of new web/application servers in minutes in order to accommodate peak demand and traffic spikes. In addition, web applications are released in real time thanks to the automated delivery concept of DevOps. While this practice greatly reduces the delivery time of patches and updates to secure exploits, it also reduces the time window for testing and vetting of software code that may open the door for injection attacks and other risks. The speed at which change is now introduced into our web application infrastructure is like nothing that could have been imagined in 2003.
Keeping Up at the Speed of Threats
Malware and attack methodologies can cultivate in a stunningly quick manner as well. A classic example is ransomware which many consider one of the biggest cybersecurity threats of today. Although the beginnings of ransomware first appeared in 2012, it wasn’t until 2014 that ransomware began its rapid ascent. In 2016, ransomware became a billion-dollar industry. If ransomware were a conventional business, its growth would be unprecedented. Another example is the dramatic growth of IoT bot-generated attacks. Such instances illustrate just how quickly new attack styles and threats can proliferate.
The OWASP Top 10 provides an abbreviated blueprint for security consultants and vulnerability scanning software. Vendors proudly proclaim that their services scan for all ten risk vulnerabilities. But what about the risk vulnerabilities that lie outside the abbreviated list? What about #11? What about the hot new vulnerability that may being appearing throughout enterprises across the world, but won’t make its presence in the top ten until the next scheduled release three years or so from now? Can your company afford to wait that long?
“What about the hot new vulnerability that may being appearing throughout enterprises across the world, but won’t make its presence in the top ten until the next scheduled release three years or so from now?”
The fact is that with the speed at which change is initiated within IT today, you need a security partner that doesn’t solely focus on the “Top Ten” but who knows how to defend against all of the threat types out there (and those still to come). In 2017, it’s imperative to have a security partner that is abreast of the latest security threats and the best defense measures. So by all means, review the newest release of the Top 10 Application Security Risks for 2017 and ensure that your network is prepared for them. Just don’t stop there, however, because vulnerability n+1 is just beyond the list.