Software brings tremendous value to organizations, but in today’s day and age, it also carries significant risk. Malicious cyberattacks continue to rise at a rapid pace. According to the Identity Theft Resource Center and CyberScout, data breaches increased by 40 percent in 2016 – that’s after a record year in 2015. With the ongoing upsurge in data breaches, software can be seen by many as a potential liability for an organization. We are such a data-driven economy today that criminals have realized that they can cause serious damages to companies, governments and other entities by hacking into their information systems and stealing, corrupting or deleting valuable data. These breaches are extremely costly to organizations – not only financially, but also to their reputations.
Just look at Target. In 2013, hackers stole credit card numbers of 110 million customers costing the retail giant approximately $162 million, in addition to a decrease in sales and a black eye to their reputation (for a short period of time).
It’s no wonder that “94 percent of CISOs are concerned about breaches in their publicly facing assets in the next 12 months, particularly within their applications,” according to a January 2017 Bugcrowd study. However, despite these concerns, another survey of over 500 IT decision makers found that 83 percent of the respondents actually release their code before testing it or resolving known weaknesses (Veracode, September 2016).
Software is typically at the foundation of all cybersecurity attacks. In fact, the Software Engineering Institute stated that 90 percent of reported security incidents result from exploits against defects in the design or code of software. If a network router is hacked, most likely the hacker went through the router’s software, not hardware. These breaches can pose such a significant threat to an organization’s value that software developers must make application security an integral part of the software development lifecycle.
By finding and fixing vulnerabilities early in the software development lifecycle, there is less risk to the business and more potential for increased business value from the software. For example, Adobe Flash player is a product used by many websites to enable interactivity and multimedia. In 2015, it had more than 300 patches (TechBeacon’s Application Security Buyer’s Guide). Developing these patches is a resource drain (both time and money). On balance though the risk Adobe would run by not providing these patches could be significant and negatively impact the Adobe’s value as well as the value of the organizations using its product.
So, if an application has, let’s say, 500 known weaknesses, the organization may not have the time or money to fix all of them before an imminent release. They need to collaborate with the business unit and determine which vulnerabilities pose the highest risk to the business (negative business value) and which ones, if remediated, will help to deliver the most value to the business if they are fixed. It is not unusual for developers to fix those vulnerabilities that are easiest to resolve; however, it is critical to take a step back and prioritize identified vulnerabilities based on business value.
Mike Harris, CEO