This year's 2016 Verizon Data Breach Report was a great read. As I spend my days exploring web application security, the report provided a lot of great insight into the space that I often frequent. Lately, I have been researching out of band and second order vulnerabilities as well as how Single Page Applications are affecting application security programs. The following three takeaways are my gut reaction thoughts on the 2016 DBIR from a web app sec-ian perspective:
1. Assess Your Web Applications Today
Not tomorrow, not next week, today. I don't want to see talented geeks jump on board a hot startup and hear, “Oh, we don't have a security program.”
I look at this report and the huge increase in web application attacks wondering how ANYONE could still not be taking their web application security program seriously. Seriously? Let's get serious for a slim second.
There has been a dramatic rise in web application attack patterns across all industry verticals as covered in the research. Though three industries: entertainment, finance, and information, have seen a larger jump. Web application attacks make up 50% or more of the total breaches, with a notable jump in the finance industry from 31% to 82% in 2016. However, it is suggested that this jump is due to sampling errors introduced from the overwhelming data points linked to Dridex.
2. Fun, Ideology, or Grudge drove most incidents. Money motivated most theft. Few spies were caught.
Although at first eye numbing stare, it appears that all web application hacking motives of 2015 were from grudge wielding, whistle blowing people with no real secret agent spying going on, though admittedly with a sizable criminal element.
When this same data is filtered through ‘confirmed data disclosure,' 95% of the resultant cases appear to be financially motivated, and it becomes much more apparent that data disclosure is all about the money.
3. “I value your input, I just don't trust it.” (p. 30)
Unvalidated input continues to be one of the most fundamental software problems that lead to web application breaches. From the dawn of client/server software to the now modern Single Page Application framework, we have been releasing applications with partially validated inputs despite the fact that we have known about validating inputs for decades. Unfortunately, this fundamental cultural development flaw will likely not be leaving us anytime soon. Please, if you learn anything from the DBIR, make sure to validate input, folks!
In terms of the top 10 threat varieties of 2015, SQL Injection (#7), and Remote File Inclusion (#9) are ever present and are a direct result to trusting input in an unsafe manner.
The ‘Recommended Controls' for Web App Attacks section in the DBIR states, "validate inputs, whether it is ensuring that the image upload functionality makes sure that it is actually an image and not a web shell, or that users can't pass commands to the database via the customer name field." This is not to say validation of output is not also of high importance. Rather, it indicates the place where most initial damage can occur, whereby output validation reduces the available information able to be gathered on the target.
That's it for my take on the 2016 Verizon Data Breach Investigations Report. Be sure to check out the Defender's Perspective, written by Bob Rudis.