Last week, we released our Secure Coding Report: Injection Vulnerabilities, which identifies that training software developers on how to best protect against one of the most critical exploits on the web and one of the OWASP Top 10, is far quicker and easier than you might think.
Analyzing approximately 140,000 HackEDU exercises, our report highlighted that while over 50% of developers need more training in secure coding practices, it takes less than 10 minutes for 93% of developers to successfully identify and fix SQL Injection (SQLi) vulnerabilities and protect their organization from a significant data breach. But how can training on Injection flaws ensure that security becomes part of the entire software development lifecycle (SDLC), and what can you do to reduce risk in minutes?
Injection Vulnerabilities are a ten-year problem
Across the cyber landscape, although a variety of risks are encroaching organizations on all fronts, the OWASP Top 10 ranks Injection vulnerabilities as one of the biggest threats to securing businesses – a spot they have held for over 10 years. There is therefore an undeniable indication that this type of vulnerability is endemic in web application development.
What’s more, findings from HackEDU analysis with Derek Brink, VP and Research Fellow at Aberdeen Strategy and Research, highlight that the likelihood of applications having an Injection flaw ranges from 0% to 19.09%, with a median of 3.37%. And recent studies have found that almost 1 in 3 organizations are vulnerable to SQLi. These exploits involve an attacker using the standard data input interface of a SQL database to insert a database query, which can potentially compromise the privacy, integrity or availability of the database, or execute other database admin operations. Alongside Cross-Site Scripting (XSS), XML External Entities (XXE) and Command Injection, SQLi is in fact one of the oldest and easily mitigated web application vulnerabilities out there.
Solving the Injection Vulnerability Conundrum
Derek Brink’s analysis of the HackEDU exercises, specifically designed to train on secure coding practices against Injection vulnerabilities, found that only 45% of the developers were 100% successful in their first attempt. Therefore, over half of developers are set to benefit from further support on why security matters and how to secure their code against Injection flaws.
The findings also highlighted that by the end of the training program, 93% of developers successfully learned the necessary skills following completion of their courses and were then able to fix Injection vulnerabilities to help safeguard their companies from critical data breaches. Considering the average breach now costs an organization $4.24m according to IBM’s Cost of a Data Breach report, any opportunity to reduce this risk and protect an organization from such financial damage should be a top boardroom priority.
Next Steps to Overcome an AppSec dilemma
With no sign of the high levels of cybercrime being experienced by organizations abating anytime soon, it has never been more important to prioritize secure coding training to help mitigate risk.
Yet owing to ever-increasing levels of digital transformation being demanded of and by companies, pressure is being piled on developers to constantly evolve apps to keep pace with this change. With 51% of developers now writing 100x the volume of code compared to 10 years ago, it is particularly concerning that the code being developed isn’t necessarily safe nor secure. And the siloed team approach to innovation has meant that some developers are operating under the assumption that security is the responsibility of the AppSec team, not theirs.
To shift left and move closer towards a culture of DevSecOps, this mindset needs to change. Security can no longer be an afterthought, and application security can stop being a dilemma – especially if secure coding training is so effective and quick to implement. Baking in security from early on, the SDLC can both save costs and protect an organization from a critical breach. In order to make this possible, there are a number of best practices considerations that will enable a team to get the most out of a training program. These include setting measurable goals, prioritizing communication with both stakeholders and developers, and embracing learning science principles.
Click here to learn more about best practice for implementing secure coding training and a more in-depth look at our Injection vulnerabilities research.