What Can Happen On Your Watch? Exposing the SDLC Myth
We’ve all seen it happen in the movies before. The security guard walks the hallways once an hour, looking for broken locks and open doors/windows. While he’s in between patrols, thieves break in through an unprotected air vent and steal the diamond.
Web application breaches aren’t much different. Besides a known vulnerability, they also require an opportunity, one that is ripe for exploiting.
In our Annual WAAR report that we just released, an interesting figure came up. For some of the applications we monitored for 180 days, attack attempts were observed for up to 176 days. That’s 98% of the time!
Is SDLC really solving your security problem?
Software development lifecycle (SDLC) is an ongoing process for companies, which includes a security element in the form of code review and vulnerability cleanup when a new version is released. While SDLC is a critical ongoing process, the security portion of it only comes at near the end, right before a version is finalized. However, In between releases, vulnerabilities and misconfigurations can be found.
In an average organization, the security component of SDLC is designed to fix vulnerabilities as they’re discovered, either as a part of the release process of the software, or as new vulnerabilities are publicly found and reported. Schematically, the process looks like this:
- A consultant/QA engineer/Automated Scanner finds and reports a vulnerability
- A developer is assigned to create a patch to fix it
- The patch is deployed in a staging area to validate it
- The patch is deployed in production or towards the final release, all’s good
At best this process takes approximately 30 days.
Now, the fact that a vulnerability was found means that it existed on the application before it was found. According to data presented in WhiteHat’s Annual Report, it’s not uncommon for sites to be in a “pre-fixed” condition for about 150 days.
All told, there are roughly 180 days of exposure while the vulnerability is live.
What does this mean?
If the application is vulnerable for 180 days and it’s being attacked up to 98% of the time, hackers will find and exploit that vulnerability. It’s inevitable, really.
While SDLC helps to secure the application in the long run, it is done on periodic basis only, and requires a long window before the application can be fixed.
Organizations need a different approach to plug these gaps.
What should you do?
Banks no longer rely only on guards to do hourly patrols. In addition, they rely on alarms, window breach sensors, locks, and entry audits to protect their monetary assets. It’s time for companies to do the same thing to protect their digital assets.
- Deploy a WAF which monitors application access and behavior in real time
- Automated scanning to increase the velocity of security checks on new applications
- Always patch systems to the latest patch and virtually patch 0-days
Authors & Topics: