Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there still seems to be a significant knowledge gap among business leaders with respect to the threats that prominent cyberattacks pose to their organizations. Only 14% of business leaders in this report were aware of the Dyn attack that brought down large swaths of the Internet back in October 2016, and a paltry 8% of those surveyed were aware of the patchable Apache Struts vulnerability exploited in the Equifax data breach.
If executives sponsoring software development and/or acquisition projects do not have at least a basic level of awareness of cyber security threats, they will fail to ensure that application security is successfully built into those projects. Veracode’s survey also found that 65 percent of all internally developed applications did not successfully address the OWASP Top 10 security vulnerabilities. Ensuring your applications are securely designed to avoid these vulnerabilities should be considered a baseline requirement of any software development project. Asking for evidence of secure coding practices from any software supplier should be a baseline requirement of any RFP.
To stay well-informed about cyber security threats, vulnerabilities, trends and risk mitigation strategies, we recommend:
- Subscribing to alert/advisory feeds like US-CERT, ICS-CERT, The National Vulnerability Database, etc.
- Joining an information sharing organization – your industry may have an ISAC already; Stoel Rives is a member of the LS-ISAO
- Following prominent security professionals with easily-digestible blogs, like Bruce Schneier and Brian Krebs
- Meeting regularly (at least quarterly, but monthly is better) with the person or vendor in charge of your information security program to review threats and action plans
- Conducting annual risk assessments using a qualified third party to get independent, expert feedback on your overall security posture
- Requiring all members of your organization participate in regular cyber security training