July 25, 2013

What Can Happen On Your Watch? Exposing the SDLC Myth

Sdlc1We’ve all seen it happen in the movies before. The security guard walks the hallways once an hour, looking for broken locks and open doors/windows. While he’s in between patrols, thieves break in through an unprotected air vent and steal the diamond.

Web application breaches aren’t much different. Besides a known vulnerability, they also require an opportunity, one that is ripe for exploiting.

In our Annual WAAR report that we just released, an interesting figure came up. For some of the applications we monitored for 180 days, attack attempts were observed for up to 176 days. That’s 98% of the time!

Is SDLC really solving your security problem?

Software development lifecycle (SDLC) is an ongoing process for companies, which includes a security element in the form of code review and vulnerability cleanup when a new version is released. While SDLC is a critical ongoing process, the security portion of it only comes at near the end, right before a version is finalized. However, In between releases, vulnerabilities and misconfigurations can be found.  

In an average organization, the security component of SDLC is designed to fix vulnerabilities as they’re discovered, either as a part of the release process of the software, or as new vulnerabilities are publicly found and reported. Schematically, the process looks like this:

  • A consultant/QA engineer/Automated Scanner finds and reports a vulnerability
  • A developer is assigned to create a patch to fix it
  • The patch is deployed in a staging area to validate it
  • The patch is deployed in production or towards the final release, all’s good

At best this process takes approximately 30 days.

Now, the fact that a vulnerability was found means that it existed on the application before it was found. According to data presented in WhiteHat’s Annual Report, it’s not uncommon for sites to be in a “pre-fixed” condition for about 150 days.

All told, there are roughly 180 days of exposure while the vulnerability is live.

What does this mean?

If the application is vulnerable for 180 days and it’s being attacked up to 98% of the time, hackers will find and exploit that vulnerability. It’s inevitable, really.

While SDLC helps to secure the application in the long run, it is done on periodic basis only, and requires a long window before the application can be fixed.

Organizations need a different approach to plug these gaps.

What should you do?

Banks no longer rely only on guards to do hourly patrols. In addition, they rely on alarms, window breach sensors, locks, and entry audits to protect their monetary assets. It’s time for companies to do the same thing to protect their digital assets.  

Here’s how:

  • Deploy a WAF which monitors application access and behavior in real time
  • Automated scanning to increase the velocity of security checks on new applications
  • Always patch systems to the latest patch and virtually patch 0-days

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.