There have been many surveys and reports into what companies think and what they do about security. There have been other surveys and analyses of breaches and vulnerabilities and threats. What is missing is a correlation and analysis of the relation – if any – between theoretical attitudes and practical effects. This is something WhiteHat Security seeks to remedy in its latest annual report: the Website Security Statistics Report. For the first time it combines a response survey of attitudes towards security with the empirical evidence of website security gathered by its Sentinel product, and attempts to correlate the two.
The result is confusing to say the least. In some areas it is what could be expected and hoped for; but in others it is simply counter-intuitive. For example, the organizations that include “some amount of instructor-led or computer-based software security training for their programmers” experienced 40% fewer vulnerabilities and resolved them 59% faster than other companies. That is to be expected and demonstrates that following ‘best practices’ – in this case, training – works. But the same group “exhibited a 12 percent lower remediation rate.” That was not expected, and demonstrates that following best practices does not necessarily work.
To be fair, ‘best practices’ is a difficult concept. Back in November 2012, WhiteHat’s founder and CTO Jeremiah Grossman blogged, “I’m fairly confident there are few, if any, ‘best-practices’... I’m convinced that different application security activities...are best suited in different scenarios. In fairness, I must admit that I’ve a limited amount of data that backs up my assertion,.” Well, now, following his own new report, he has the data to back up his assertion; and he appears to be right.
It may be, and the report acknowledges this, that this first analysis is just a snapshot in time. “One explanation may be that these metrics are precisely WHY these organizations [recently] acquired the technologies and they will eventually reap the benefits down the road (e.g. have fewer vulnerabilities). This remains to be seen.” If this is true, and WhiteHat continues with this methodology in future annual surveys, then over time Grossman may be able to isolate those best practices that actually have a universal benefit.
But this doesn’t mean that the current report fails to provide meaningful insights that can be acted on right now. There are two particular areas where it provides empirical evidence for what is otherwise just opinion. These areas are accountability and compliance. It is common sense that that somebody needs to be accountable for security; but previously no real evidence to prove the assertion. The current state is that accountability is confused. Twenty-seven percent of respondents to the survey suggest that the Board was responsible, 24% said software development, 19% the security department, and 18% said executive management.
But there is a need is for somebody, not some department, to be accountable, and to have authority. “By analyzing the data in this report,” it says, “we see evidence of a direct correlation between increased accountability and decreased breaches.”
The compliance issue confirms the suspicion of many security experts; that concentration on compliance can have a negative effect on security. There is a contradiction here. The data demonstrates that conformance to compliance requirements is the number one driver for the remediation of vulnerabilities; but if remediation isn’t necessary for compliance, it tends to be ignored. WhiteHat suggests it may be a funding issue. “When organizations are required to allocate funds towards compliance, which may or may not enhance security, there are often no resources left or tolerance by the business to do anything more effective.”
Overall, what the data tends to show is a laissez-faire attitude within many companies; with few security champions willing or able to drive the security process forwards. “It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Grossman. “This needs to change, and we believe there is now an opportunity for a new generation of security leaders to emerge and distinguish themselves with an understanding of real business and security challenges.”