It’s usually the simple things in life that create the most problems – we’ve all learned this universal law the hard way. Be it slick tires when driving in the rain, that extra decimal point when doing our taxes, or a bad Ethernet patch cable that’s discovered after hours of computer troubleshooting, it seems that the small stuff (the things we take for granted) cause the biggest problems. Interestingly, web security is no different.
There are many people in IT, security, and software development that would like to make you think that their ninja-like hacking abilities or theoretical web flaws that require dozens of pieces to fall into place before someone can exploit an insignificant web interface on a training room printer are worthy of you and your team dropping everything and focusing on that. The funny thing is, it’s not the complex and mysterious hacks that bring down corporations. Instead, it’s the silly, often inexcusable, low-hanging-fruit that gets most people into trouble such as passwords, patches, application architecture, and general system configurations.
The ongoing research finds these same things, the breach databases underscore it, and it’s exactly what I see in my work performing security assessments and serving as an expert witness on legal cases. It’s almost always the little stuff.
As much as many people – especially your technical staff – won’t admit it, 80 percent of your web security problems come from 20 percent of the vulnerabilities. People see what they want to see. People also want to keep chasing other opportunities. Fixing the boring basics is not as fun as exploring new frontiers in web security. That still doesn’t make it right for the business.
Start asking the hard questions of those who are managing web security in your business.
Ask how the basic security flaws are being tested for – both with automated web vulnerability scanners and through manual analysis. Ask what the real impact of the vulnerabilities uncovered would be to the business. Know that experience counts. Good tools and knowing what to look for are critical. Yet, still, it doesn’t require a “cyber warrior” with a Ph.D. to uncover the big stuff.
Prevention is much easier than reaction with web security. We know what’s eating us. Focus on the givens. No further diagnosis is needed – at least until you fix the fixable. Stop kicking the can down the road and planning to let someone fix the basics. There is no better opportunity or return on your web security investment than to fix the crazy stuff that’s right before your eyes this very moment.