Security Products
Showing results for 
Search instead for 
Do you mean 

5 reasons why security is harder today than a decade ago

markpainter ‎09-13-2013 01:13 PM - edited ‎09-16-2015 04:42 PM

As I prepared for my presentation on "The Application Security Landscape" for HP Protect conference, (in one slide, even!) my mind began to wander in a lot of different directions. Broad topics will do that for you. One thought that occurred to me is how application security seems harder now than it did 10 years ago in many ways.  Here are my top five reasons why.


DC cherry blossoms.pngOld vulnerabilities remain stubbornly prevalent


Every year, HP publishes the Cyber Risk Report. And each year, Cross-Site Scripting shows up big. There's nothing that illustrates this point quite like the fact that almost half of the web applications we tested last year were susceptible to some form of a nearly 20-year-old vulnerability. There's a simple reason why this old vulnerability is still creating havoc ...Cross-Site Scripting is not easy to prevent. There are too many parameters to check, and not enough time to check them all. Need more proof? Check out its OWASP Top 10 consistency.


The application vulnerability universe continues to expand


It's simply the nature of applications that the introduction of new technologies creates unintended pathways that can be leveraged for malicious purposes. We’ve seen this from the introduction of Javascript to Web 2.0 and beyond.

What really complicates things is that it's not just the new stuff that's vulnerable—older technologies are showing a remarkable propensity to stay vulnerable.  The popular example is JAVA, but there are more, of course. FLASH springs to mind. So does PHP Injection, for that matter.

Combine these factors with an explosive rise in research, the rise of mobile applications, automated hacking tools, criminal activities, putting a web front end on everything, and on and on… well, you get the picture. There's always going to be something new, or even old, to worry about.



Access to information

The market for vulnerability information, especially regarding critical ones, has exploded. One reason is the rise in bounty programs...organizations or groups that pay bounties (large sums of cash) for disclosing vulnerability information. HP does this via our Zero Day Initiative (ZDI) group, rewarding security researchers for responsibly disclosing vulnerabilities.

On the dark side of information sharing is a growing black market where nation states, organized crime and even software companies all compete to purchase undisclosed vulnerability information. Hackers have a plethora of tools available to advance their hacking, and more tools seemingly emerge every day. Long story short...getting critical vulnerability information has become easier for the bad guys, especially if they are willing to pay for it. This has all made life more difficult for security teams.




Unfortunately, cyber-warfare offers malicious evil-doers with global aspirations the biggest opportunity to level the playing field with traditional superpowers. It's much less expensive than traditional forms of attack, it can be conducted remotely, and while “not yet” guilty of causing huge amounts of real world damage, it has the potential to do so. When you realize that most critical infrastructure was never intended to be web-enabled, and now it suddenly is, you can see the true potential scope of this problem.



Lack of standards

I don't necessarily mean legislation here. What I'm really getting at is more abstract. There's simply no systematic way to accurately define application security risk. There are too many subjective factors, too many variables and too many opinions. Organizations know they need 'something' to remain secure, the 'what' is not always so easily revealed. In fact, it’s a continued challenge for security operations teams to source real-word business reasons and metrics that help sell the need for application security.


What's Better?


Is it all doom and gloom? Of course it’s not. Security firms are getting much better at tracking down and naming the sources of attacks. This fact alone still has the power to shame nation states into...ok, they just want to cover their tracks better. But, it's a start. And Snowden opened a Pandora’s Box that opened everyone’s eyes to the reality of cyber-warfare in a publically conscious way that Stuxnet simply didn't. Security products also communicate in a much better and more collaborative manner than even five years ago. (I encourage you to read this datasheet to learn about the communication capabilities of HP ArcSight Application View) This increased communication leads to better results and fewer false positives. So that's good. And even with the need for better metrics, cyber security is never again going to have to be shown to be necessary.    


If you want to hear more about my thoughts on application security, join me at HP Protect Sept. 16-19 in Washington D.C.



About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all