A Lack Of Security Training Contributes To Growing Vulnerability Numbers

The number of vulnerabilities that exist in production software is growing rapidly. In 2019 alone, over 22,000 new vulnerabilities were discovered and publicly reported. Of these vulnerabilities, over a third have a proof of concept or exploit code available. This means that every day in 2019, twenty new vulnerabilities were discovered that could have easily been exploited by cybercriminals.

These vulnerabilities affected a wide variety of different products in a number of different ways. However, many of them boil down to the same mistakes being made over and over again. In fact, 40% of cyberattacks against large enterprises in Europe and North America used a single attack vector: cross-site scripting.

Most application vulnerabilities boil down to a well-known and well-understood programming error. A major reason that these vulnerabilities are still so common and impactful is a lack of security education for the people that need it most.

Over two-thirds of developers and IT professionals say that their organizations do not offer adequate training on application security. Secure coding — which involves working to develop code without these built-in weaknesses — requires an understanding of the types of errors that can place an application at risk.

Applications Can Have A Wide Range Of Vulnerabilities

Software is written by humans, and humans can make mistakes. As a result, applications have design and programming errors and other bugs. Some of these bugs can be used by an attacker to impact the security of the application and its users, making them vulnerabilities.

One of the main problems with secure coding is that there are many different ways for a program to be vulnerable. Some of the most common issues that arise in applications include:

  • Buffer overflows: Buffer overflow vulnerabilities arise from a failure to properly allocate and check the size of memory buffers before using them
  • Integer overflows and underflows: Use of incorrect variable types and insecure typecasting can result in integer overflows and underflows
  • Race conditions: Parallelized programs can contain race condition vulnerabilities due to competitive interactions between execution threads
  • Format string vulnerabilities: A failure to properly specify format strings in functions like printf enables memory to be read or written
  • Command injection: Programs using untrusted user input in a terminal command may be vulnerable to command injection
  • Weak access control: A failure to implement and enforce least privilege can amplify the impact of application vulnerabilities
  • Poor credential management: Inadequately protected user or account credentials can put an application and its users at risk
  • Insecure cryptography: Cryptographic algorithms are sensitive and improper use can eliminate their security benefits
  • SQL injection: A failure to sanitize user input in database queries can leave an application open to SQL injection
  • Cross-site scripting: Cross-site scripting (XSS) vulnerabilities allow an attacker to run code within a website
  • Cross-site request forgery: Cross-site request forgery (CSRF) vulnerabilities enable an attacker to make malicious requests on a user’s behalf
  • Misuse of HTTP and HTML: “Clever hacks” in HTTP and HTML can create data leaks and exploitable vulnerabilities
  • Poor error handling: Error messages can provide too much information to a hacker performing reconnaissance

Each of these classes of vulnerabilities covers a number of different specific flaws that could create a vulnerability. For example, buffer overflow vulnerabilities can be caused by unbounded copies, off-by-one errors and many other issues. However, while it may be infeasible to learn and memorize every code pattern that leads to a particular vulnerability, an understanding of how a particular vulnerability works makes it possible to spot them in a wide range of contexts.

Secure Coding Practices Help To Minimize Exposure

Secure coding is an attempt to use knowledge of common vulnerabilities and programming errors when developing, assessing and testing an application’s code. An awareness of the most common types of vulnerabilities, how to identify them and how they can be exploited is essential to eliminating them from applications and driving down the number of vulnerabilities and exploits associated with production code. This can help an organization to limit its exposure to data breaches and other costly cybersecurity incidents and alleviate some of the high costs associated with identifying and patching vulnerabilities in production.

 

Sources

  1. 37.3% of Vulnerabilities in 2019 Had Available Exploit Code or a Proof of Concept, Risk Based Security
  2. Cross-Site Scripting (XSS) Makes Nearly 40% of All Cyber Attacks in 2019, Precise Security
  3. Key Considerations for Secure Coding Training, Veracode

Be Safe

Section Guide

Howard
Poston

View more articles from Howard

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Howard
Poston

View more articles from Howard