Application SecuritySecurity Awareness

Don’t be like Zoom… (3 Application Security Considerations During the COVID-19 Outbreak)

By April 21, 2020 One Comment

This post would not be complete without first acknowledging the incredible people who are on the frontlines of the Coronavirus Pandemic. We thank you and appreciate your incredible commitment to the safety, health, and wellbeing of those around you.

Now, more than ever, we must stop learning the hard lessons the hard way. 

It’s a staggering example of “too little too late.” As the coronavirus pandemic spreads around the world, more and more of the world’s working population is staying at home. Around the world, a huge number of us put our trust in conference platforms, like Zoom. Because surely a global video-conferencing application would be secure, right?


Welcome to the world of ZoomBombing. Mischief makers with nothing better to do caused severe disruptions by intruding on business, academics, healthcare, and personal conferences. And they continue to do so.

But the underlying issues, and their implications, are far more serious. Zoom’s existing (and unaddressed) privacy and security vulnerabilities were found and exploited by mischief-makers. And this is just the tip of the iceberg. This post exposes 3 critical application security issues, each of which, if unaddressed, can rapidly turn into a disaster for everyone involved. That’s why, now, more than ever, application security training is of urgent concern for corporations, their employees, and their customers and clients… in essence, app security affects everyone.

1. Now, more than ever, we need to provide application security training to the other 70% of app developers.

And no, we’re not kidding. We wish we were. But first, ask yourself: would you get on an airplane, knowing that the pilot is only 30% trained? Or that the aircraft is only 30% airworthy? Or that the security officers only screened 30% of your fellow passengers? No? Didn’t think so. Which begs the question: what the heck is happening the other 70% of the time? 

The truth is unfortunate. 70% of app developers do not get the kind of training that could help ensure the security of their apps, leaving them open to security issues far worse than ZoomBombing. We’re talking about issues like:

  • SQL Injection; 
  • Cross-Site Scripting; and 
  • Remote Code Execution.

7 out of 10 apps are developed by people with insufficient security training. Let’s really bring this home. Think of all the apps that are installed on your device(s). The average person has 60 – 90 apps on just one of their devices. If 70% of those apps are developed with insufficient security, the average person has 40 – 60 apps on their device(s) that are open to attack. Think: usernames and passwords, your personal and financial/payment information, your personal address book and social media contacts, even your home and possibly your loved ones. You may even have health-, professional-, or business-related information stored on your device(s). Once security is breached, all that data is up for grabs. We wish this statistic was fictional, we really do. But it’s not. It’s a frightening reality in our modern, tech-, and data-driven world.

2. Now, more than ever, it’s crucial to understand that only 56% of critical vulnerabilities and 45% of high-severity vulnerabilities are getting fixed.

Again, we’re not kidding. To say it’s sufficient to fix only 56% of critical vulnerabilities and 45% of high-severity vulnerabilities is akin to saying I live in an overcrowded city and I’m okay with half the front door missing. It’s kinda like figuratively setting out the welcome mat for a hacker, and just as figuratively inviting them in for tea. It’s a question of Urgent versus Important. Most app developers will tell you that they think app security is ‘important.’ But their actions (and their products) suggest that about half of them think application security is ‘urgent.’ The deeper lesson here is that while security breaches do make headlines, most of those headlines would be unnecessary if someone had taken responsible, urgent actions, and trained their app development teams to build security into their product(s).

3. Now, more than ever, it’s vital to stop the production of exploitable vulnerabilities in applications and address the issue(s)

More than half – 60% in fact – of all applications have a known exploitable vulnerability in production for more than 365 days. Imagine if an automobile manufacturer knowingly produced and sold their cars for over a year, even though the brakes failed randomly 6 out of 10 times. That’s what’s happening in the world of application security. The greater tragedy? End-users may or may not be aware of this vulnerability. And when they find out, the reality check comes a fraction of second too late.

Similarly, ignoring application security is giving the honor of signing the reality check…. to the hacker. By not training developers to build security into their applications, that’s exactly what’s happening.

Now, more than ever, it’s time to make application security the new normal.

Security breaches have now impacted the Social Security Administration, and even the World Health Organization. When ZoomBombing hit the news, the disruption to businesses and communities was global. It was hurtful to many people, and the repercussions are still being felt. But ZoomBombing is almost a joke when compared to the disaster that any major data breach can cause. Now, more than ever, it’s essential to provide effective and more-than-adequate training to our application developers.  

You can help. Train your app developers to create products that not only do what they’re supposed to do but also protect the end-user and your business. 


Click here to check out our Application Security 14 Course Bundle.

Click here to demo our General Security Awareness course.

Due to the current COVID-19 outbreak across the United States millions are working from home, some for the first time.. This is why KMI Learning and Infrared Security have come together to provide you and your colleagues free home cyber security training, titled “Work From Home Securely: Security Considerations for Extended Telework”. Gain immediate access to this online video course.

Custom Security Awareness Content

Your company has just endured yet another security breach. One of your employees left an open iPad on a table with friends at Starbucks. One of the friends jokingly sent an email to the employee’s entire department. The contents of that email were, shall we say, colorful.

The thing is you had conducted security awareness training for all employees. How could this employee have made such a silly mistake? Well, first of all the employee might make better choices in friends. But beyond that, why didn’t the training change the behavior? Why wasn’t this employee aware of potential security hazards?

Obviously, security awareness success is an effective combination of implementation of the technologies available to prevent compromises and appropriate human behaviors. While it may be tricky to keep pace with changing technology, it may be even trickier to impact the behaviors that can lead to security issues. Training is definitely a huge piece of this puzzle.

While there are many options available for generic off-the-shelf security awareness eLearning, these courses may not really address the specific security challenges of your organization. At one Financial Services organization, security of systems, processes, and information was critical to the corporation’s success and growth. And, security of clients’ information was a cornerstone of their corporate values. Because of the Company’s business, their security concerns were very specific. The Company faced a challenge: how to formalize these security awareness protocols so that it was easily accessible, consistent, adaptable and applicable across the global population. And, perhaps, most importantly, how to ensure that sharing this information would truly improve behaviors.

Creating an online training program that demonstrated the tools, behaviors, policies and procedures around security requirements provided an exciting, engaging and memorable vehicle for educating the corporate population, scalable and accessible across business units, departments and global offices. KMI Learning developed a series of rich eLearning modules, following a narrative scenario style that provided the underlying security foundation in a compelling way and that is accessible on –demand, to every employee world-wide. Not only that but the courses revolved around a set of characters that were relatable and were in situations that were unique to the Company. Employees saw themselves in these situations. They saw how the policies could and should be applied to their daily work life. They were able to practice decision-making and applying security awareness strategies within the modules with no ramifications for the Company. While these interactions were fun, they were also memorable, easily brought to mind when similar situations arose in real life.

As a result of this Security Awareness program, the Company has experienced a significant, quantifiable, positive change in employee behavior related to security. There has been a significant decrease in security breaches and improvement in routine security measures. And, employees are vested in the series, they anticipate the updates and look forward to seeing in what new situations the characters find themselves.

No longer would an employee not think about leaving an iPad untended!