Learn some common appsec misconceptions and how you can avoid vulnerabilities in your software projects, including a look at Hoursec.
Join the DZone community and get the full member experience. In recent times, we have witnessed several information security breaches worldwide: vulnerabilities, ransomware, Man-in-the-middle, among other problems that become headaches not only for the engineering team but for the whole company and even for customers of your product. What if we say that most security problems could be avoided? This article will cover the importance of information security and how to include it throughout the development process: the so-called DevSecOps. There are three taboos in the area of software development that we need to talk about to start addressing information security more consistently: The first of them is the simplest to say: most security flaws and their respective impacts and damages are commonly related to large companies, such as Facebook, LinkedIn, among others. However, this is not a problem unique to large companies, so much so that a study by codegrip reports that three out of four applications currently in use have some vulnerability. According to IBM’s latest vulnerability research report, this idea is far from true. To give you an idea, about 38% of business was lost by companies that had a security breach. In addition, there are some average loss estimates: Average of 180 USD for each record of personal information. 4.62 million dollars was the average ransomware breach. $3.61 million for every breach of hybrid cloud environments. In practice, vulnerability also impacts brand trust and credibility. A recent example was Target, which had to shell out nearly $200 million to repair its credibility. Of all the myths, this is the biggest fallacy of all! In general, the «minor problems» are precisely those that result in the most extensive security disasters, and we can say that failures usually present two gaps: We encountered flaws such as insecure code design, injection, and configuration issues through a code vulnerability intentionally or unintentionally: within the TOP 10 demonstrated by OWASP. Through the vulnerability of operations: among the most common problems, we can mention the choice for «weak passwords», default or even the lack of password. A second common failure is the mismanagement of people’s permission to a document or system. These types of problems, unfortunately, are pretty standard. Not by chance,75% of Redis servers have issues of this type. In an analogy, we can say that security flaws are like the case of the Titanic. Considered one of the biggest wrecks, most people are unaware that the ship had a «small problem»: the lack of a simple key that could have opened the compartment with binoculars and other devices to help the crew visualize the iceberg in time and prevent a collision.
