“We Didn’t See It Coming:” What Cyber Attacks, and A Virus That Stopped the World, Can Teach Us.
There are application security lessons to be learned in a crisis. As our world is rocked by a tiny strand of genetic material, encapsulated within a lipid/protein shell, an honest look at how we’ve responded – and the impact of those responses – will teach us some valuable lessons. We can apply these insights to the world of application security, and learn from them. If we are willing.
Lesson 1: It’s Time to Wake Up. No, Really.
We’re numb. Let’s face it: we were numb to the presence and impact of SARS-CoV-2 elsewhere. Just as we are numb to cyber threats. After all, we’d heard about viral infections for decades, and they happened to someone else, in some other part of our world; they affected some other person. And every time, things turned out okay, right? No big deal. Nothing to see here. Move on. Similarly, stories of computer viruses are nothing new. Lulled into a false sense of security, we fell asleep at the proverbial wheel. If we’re honest with ourselves, many of us thought: it won’t happen to us, remember? But the results speak for themselves, both in the global health arena and in our data-driven, tech world.
The lesson? Our way of life is actually as fragile as it is resilient. The global pandemic demonstrates how a simple virus turned our lives upside-down. But a threat of a different kind lurks within our numbness to cyber-attack. Think about it: There was a time when a successful cyber attack made the news and stayed there for weeks. The Equifax breach of 2017 was a major issue: it exposed the personal and private information of 147 million people. That’s almost half the population of the United States. For some of us, it was the first dent in our trust of cyberspace. Contrast our reactions with life today: we react to a data breach with a shrug, if at all. We got used to hearing about these attacks. Vulnerabilities and breaches to our applications are old hat; they happen to someone else, and it won’t happen [to me.] And if it does happen, well, someone will save the day. We hope.
Okay, we’re awake. So, now what? Now, more than ever, it’s time to provide application security training for the people who are creating, building, and developing the applications that make our modern lives go. Unemployment associated with the coronavirus pandemic has left a number of very smart people with very little to do. And there are enough of those people who merely want to make mischief (think: ZoomBombing), or are vicious enough to want to flat-out damage a company (think: security and data breach at WHO). Training your people to build security into their applications will go a long way in keeping those applications safe.
Lesson 2: Question – When is Finger-Pointing a Worthless Activity?
The lesson goes so much deeper than merely assigning blame, shame or fault. It’s a lesson in responsibility. Which is very distinct from blame/shame/fault. Responsibility begins with the willingness to have the buck stop here. Responsibility means using available resources to build security into the product(s) in the first place, and maintaining the security of that/those product(s). Responsibility calls for us to be proactive, and actually take the actions that make the difference.
Training developers to build security into their applications means that everyone has a hand in the ongoing safety of the product(s). This empowers everyone to be vigilant and diligent, with a healthy respect for the bad actors out there. Security training is a natural expression of a commitment to a safe and secure product. It means we, and the users of our applications, can stay one step ahead of the cyber-security game.
Lesson 3: Denial is Often Deadly.
Denial is actively pretending not-to-know about something. It’s very distinct from ignorance. Ignorance is simply something we don’t know that we don’t know. It’s simply an honest lack of information. We can’t know what we don’t know. On the other hand, we have Denial, which is, in effect, willful ignorance. Willful ignorance is nothing more or less than the foolishness of choosing to ignore existing facts, patterns, and trends. It’s among the most painful lessons that COVID-19 has to offer. Whatever else may have happened as the pandemic has escalated, willful ignorance – denial – has hastened its spread. And people are dying, have died, and will continue to die because of willful ignorance. Because of denial.
The most effective cure for true ignorance is education and information. In a word: training. There is neither cure nor vaccine against the foolishness of denial.
We can apply this lesson to application security. In the face of reports of breaches leading up to and during the biological viral pandemic, there are many who still say, it won’t happen to me/it won’t happen at all. And when it does happen, those same people pretend to be shocked. Some are even offended when someone says, I told you so.
Accepting that malicious actors are out there exploring and exploiting vulnerabilities is smart. Pretending they don’t exist is foolishness. Providing your developers with application security training is a win-win proposition for everyone involved, except the cyber-criminal. You protect:
- The end-user of your product(s);
- Your developers; and
Do the smart thing. Protect the people who matter the most: your customers and clients, your developers, and you.
Training your developers to find and close the vulnerabilities in their builds supports the success and longevity of your organization. Now, more than ever, well-informed, committed action is crucial. Actively searching out the ‘blind-spots,’ those are the areas where training can make the most difference. While training is not the magic bullet against all attacks, it certainly provides a measure of protection that would not exist without it.
What’s the difference that we can make for you? Contact us or Learn More .