A Brief History of Application Security
Computer hackers have a long history of trying to expose and exploit vulnerabilities on networks and in software applications. With the advent of the Internet and subsequent mass deployment of Web applications, attacks can be carried out on a massive scale, and can have profound business and personal impacts. The need to eliminate threats and reduce risk has given rise to an entire industry focused on application security. The history of application security has been marked by research into vulnerabilities, numerous high-profile attacks and subsequent market reactions to these attacks via innovation and more research. Here are some of the highlights and reactions dating back to the late ‘80s:
- 1988 — The first Internet virus, the Morris worm, was unleashed. Although the virus was not meant to be malicious, it took down a significant number of computers connected to the Internet at the time, and cost hundreds of thousands of dollars to fix/remove. The incident caused DARPA to fund the establishment of the Computer Emergency Response Team Coordination Center (CERT/CC) to help deal with these types of attacks.
- 1998 — A security researcher named Jeff Forristal (aka Rain Forrest Puppy) discovered the injection method of attack and detailed his findings on message boards. His findings were a warning to the industry of this imminent threat to data security. Indeed, many attacks followed, such as the SQL injection attack on Guess.com in 2002, which compromised over 200,000 names and credit card numbers. Injection remains to this day one of the top threats to application security.
- 2001 — The Open Web Application Security Project (OWASP) was formed to raise security awareness and promote best practices. As attacks became more varied and sophisticated, the first OWASP Top Ten was released in 2004 to demystify and categorize the most prevalent and critical Web application security vulnerabilities.
- 2004 — The Payment Card Industry (PCI) Standards Council released its first Data Security Standard (PCI-DSS), which outlines minimum security standards for retailers and other businesses that process credit cards. The need to validate compliance to the standard increased the availability of affordable vulnerability scanning solutions.
- Late ’90s and early 2000s — Most of the publicized attacks involved vandalizing and defacing websites or shutting them down via distributed denial-of-service (DDoS) attacks.
- Mid-to-late ’00s — More sophisticated attacks began to occur in which intrusion detection and prevention systems were eluded by cybercriminals, allowing them to steal passwords, credit card numbers and other personal information. AOL, TJ Maxx, Target, Adobe and others fell victim to these types of attacks. The November 2014 attack on Sony Pictures Entertainment, during which scores of personal and company-confidential information was compromised, highlighted the profound consequences that can arise from a security breach.
Although there are many more events that could be mentioned, it’s clear from these few examples that, over time, attackers have evolved from isolated individuals with a reckless bravado, to organized groups of cyber criminals who perform malicious acts for financial, political or ideological gain.
With researchers, governments and corporations investing more in security in the early 2000s, the industry was able to slow the growth of reported vulnerabilities. According to IBM X-Force, the annual growth rate in disclosed application vulnerabilities was 60% from 1996 to 2006, and only 9% from 2006 to 2014. This is presumably due to the introduction of more compliance standards and wider adoption of secure coding practices and in-house scanning tools.
Attackers continue to improve their tactics however, and new vulnerability disclosures continue to trend upward. The onslaught of mobile applications for example, has given hackers a new target. In late 2014, The CERT/CC developed a new method to scan for SSL vulnerabilities in Android applications on the Google Play Store, which resulted in more than 20,000 reported vulnerabilities.
Most known vulnerabilities can be easily addressed with secure coding practices and validation testing. Security Compass helps organizations adopt best practices to develop more secure applications. Our solutions can save time and money by removing possible vulnerabilities early in the software development lifecycle. Take a look at SD Elements and find out how it can help you stay one step ahead of cybercriminals.
Originally published at labs.securitycompass.com.