Share

Related Stories

  • Escalating healthcare data breaches come with $7bn pricetag
    Healthcare data breaches, despite their high profile in the news, aren’t getting any rarer: in fact, lost or stolen devices and employee errors are heading towards a $7 billion price tag for the industry – more than the level of funding that the US government gives cancer research.
  • Data Breach Scoreboard
    Infosecurity compiles history’s top data breaches, while surveying the mandatory reporting landscape in the US and Western Europe
  • Data breach costs skyrocket as class-action lawsuits become more prevalent
    Data breaches are on the rise, and the scope of the amount of data stolen is getting wider. The rise of “Big Data” heists like the one that Sony has been dealing with for 18 months (77 million accounts were compromised) is opening up the potential for class action suits in such cases to become the norm. And that can add millions of dollars to the cost of the incident.
  • Almost half of UK businesses have suffered insider-led data breaches
    For 48% of IT practitioners in the UK, the sensitive personal data contained in their company’s databases and native or cloud applications has been compromised or stolen by a malicious insider, new research has revealed. And, the majority of those practicioners (65%) also agree that they find it difficult to comply with privacy and data protection regulations in production and development environments.
  • IBM: Top threats include data breaches, BYOD, browser exploits
    When it comes to trends in security for 2012 so far, the landscape has seen a sharp increase in browser-related exploits, like recent ones for Internet Explorer and Java, along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.

Top 5 Stories

News

Poor programming, app design bolster data breaches

08 January 2013

With data breaches on the rise and the costs stemming from them escalating exponentially, human error is often the culprit. But there’s a deeper issue: poor application design and faulty programming are all too common.

It’s more important than ever to create secure applications during the development phase, but very few strides have been made along that path, according to Pieter Danhieux, an instructor at the SANS Institute and co-founder of the security and hacking conference BRUCON in Belgium. The teaching of application design and programming needs to undergo a substantial change because students are not taught and have not practiced secure design processes at an early enough stage, he asserted.

“Programming students will typically attend a single module on security during a course and it often comes in the later part of the educational cycle,” he explained. “The result is often a class of very talented developers but they don’t think with security in mind.”

That leads to poor security practices such as building applications with buffer-overflow and SQL injection vulnerabilities that are widely exploited by hackers. Danhieux also said that many of the fundamental mistakes that he was exploiting as a penetration tester 10 years ago are still the most common issues today.

Approaches for combatting data breaches, from development to client password policies, need to be supercharged in the face of a growing threat, he said. “The US is one of the only countries with a well-developed disclosure culture around security breaches, so the assumption might be that there are relatively few incidents and that America is the epicenter,” Danhieux said. “I can tell you for a fact that the scale of the attacks is at epidemic proportions and it is organized, well-funded and global.”

Thus, website designers, architects and developers must understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. “The goal is to learn the skills of an attacker so that students can become better defenders,” Danhieux said.

That’s not to say human error isn’t still a big part of the problem. “You can’t say it’s just down to insecure program design,” he noted. “The bigger problem is still due to insecure passwords, over-privileged users and poorly patched systems.”

Danhieux is familiar with the reality on the ground in his work for BAE Systems Detica, an information intelligence company. “We deal with incidents and security assessment results every day, and when you look at the root cause analysis, 80% of the time it was one of these issues,” he said.

This article is featured in:
Application Security  •  Data Loss  •  Identity and Access Management  •  Industry News  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×