A little bit of history
Do you remember the web? This is what the World Wide Web was called at its debuts in 1990 when it was only an invention fresh out of CERN in Switzerland (yes, the Web is a Swiss invention by Tim Berners-Lee and Robert Cailliau ). How many companies have announced over time, with a lot of publicity ” We are on the web”? It was well seen, and it was innovative back then to be on the web. Today, there is no way to do business if you are not on the web.
In the old days, the web was static websites. Every business had one or wanted one. It took an expert, a real one, to create this website. The only way to build this site was to code HTML directly, those mysterious runes that brought all this magic to life. And it was expensive.
Often, the single web page was only there to communicate the company’s phone number to the entire planet, and an email address for the most modern companies.
Then, over the years, websites evolved. People working at these companies thought, “You can put pictures, sounds, videos, text there, so why not show our products? “. Static websites then gave way to online catalogs. Enterprises have found that by putting enough information, people knew their products and no longer came to see them to make inquiries, but to buy instead. Online marketing was born. However, it will take years before you can make the purchase online, payment methods, typically controlled by banks, have evolved more slowly.
In 1994, the first online purchase was made on the Net Market web site (the item was a Sting CD). Pizza Hut started selling pizza online that same year. Then, the evolution of the web continued at a breakneck pace, with priority put on online sales tools and on the security of these sales.
Online sales and fraud
Because who says online sales, says fraud or at the very least, attempted fraud. Where there is money, there is fraud. The first fraud to be documented was that of the Greek merchant Hegestratos who attempted to defraud his insurance in 300 BC. J. -C. He had assured his ship and its cargo. Insurance in these times took the form of a loan. If he arrived safe and sound at his destination, he would repay the loan with interest. Otherwise, he kept the money. One day he got the idea to sink his ship , sell the cargo and keep the insurance money. His crew, who got wind of this attempted fraud, threw him off the boat and he drowned. The web is not needed to commit fraud.
Today, between stolen credit cards and hacked online sales systems, fraud takes various forms and has grown to become a scourge that haunts us. While cybercrime initially targeted servers and networks, this is no longer the case because cybersecurity has also evolved, and systems and networks are now well protected. The web in its broader sense is less secure. I am not talking about static websites, but really e-commerce systems (this is the new name for online sales). In 2021, more than 80% of the world economy depends on web applications. Think about it. Most of the world depends on web applications and their security. But where do we start to have a better world?
Electronic commerce systems and developpers
E-commerce systems on the web have in common:
- They are most often web applications
- They use databases
- They are developed by programmers
- They are exposed to the Internet (otherwise they would be useless)
- They handle monetary value
- They communicate with banks
- They accumulate data on their customers
All these ingredients together are roughly the computer equivalent of the formula for gunpowder. What is the most important point in these factors? # 4? # 5? Not wrong but no. This is # 3.
Programmers are a class of computer experts who care very little about the security of their applications. It is not entirely their fault. First, application security is not taught by the college and university programs that train our programmers. It is therefore difficult to secure an application when we do not know how. I’ve seen programmers implement encryption by “inventing” a great encryption algorithm in which they replaced ” a ” with ” b “, ” b ” with ” c “, and so on.
Such an algorithm is called a Caesar cipher and despite all that can be said about it, it is not encryption, it is encoding, and it is reversible. Needless to say, such an “encryption” would not withstand 30 seconds of being cracked by an experienced person. It could, however, perhaps slow down an 8 year old cybercriminal for a few minutes. This is what the lack of knowledge of application security brings about as a problem.
The other problem is the project management methodology. Here is how it goes. Business people have an idea that will generate huge profits. All it takes is a small web (and / or mobile) application. We launch the project, we assign a project manager and we start the design of the application. In a project, security is a “non-functional requirement”. It means that these requirements are not essential for the proper functioning of the application. Business people cannot conceive that if the application is compromised by cybercriminals through non-functional requirements, it will affect the operation of the application and the generation of profits. And that’s okay, business people weren’t trained to think about this.
It takes a special kind of reasoning to think about the potential for compromising an app, and that kind of reasoning ideally comes with a healthy amount of paranoia. And if ever an organization decided to roll up its sleeves and secure its application, the unpredictable nature of the projects would do its best to prevent it. Software engineering was born 53 years ago, with the promise that one day software development would be like engineering which makes the construction of a bridge or any other structure predictable and deterministic. We are still waiting to see a bridge construction that does not exceed costs and deadlines and it is the same for the software. The unforeseen hazards in projects will eventually lead to the need to cut corners and remove some not very important requirements from the application, like those horrible non-functional requirements that only exist to annoy us. I’m simplifying, but the world of projects is quite simple.
How can things be improved?
All of these things mean that in 2021, more than 50% of all web applications contain serious, easily exploitable vulnerabilities (Source : NTT 2020 Global Threat Intelligence Report ). And most web applications are exposed to the Internet, and process sensitive information like money, personal information, etc.
Above, we had the formula for computer gunpowder and here we have the result and it does more damage than an explosion.
Data breaches are expensive. Mariott paid $ 124 million in fines for his breach of customer data. Uber was fined US $ 575 million . E t these amounts are in addition to the damage to the brand, containment and eradication costs, costs in lawyers, communication, security uplifting, etc.
The important things to remember about application security are:
- Application security issues are introduced to applications as the programmer codes the application. A coding or logic error and presto, we have a bug. When a bug affects the security of an application, the name changes and it’s called a vulnerability. It therefore seems logical to prevent them during this coding phase.
- Preventing a vulnerability in the coding phase of a project is the most economical way to secure an application.
- Securing an application during the coding phase has virtually no impact on a project’s budgets and timelines.
- Most vulnerabilities can be easily prevented. You just have to know how.
Yes it seems easy seen like that. But the element that is missing is always the same: the expertise of programmers in application security . Howeve it is an easy and affordable gap to fill. The internet is filled with resources to help programmers learn this aspect of the job, starting with the OWASP organization which specializes in application security and makes tons of free resources available to programmers.
There is also the option of professional training. It’s more expensive, but programmers are ready to take on application security challenges after a week of expert training.
The last lesson to be learned is that on the web, the preys are the customers, the consumers and the companies that do business on the Internet. With just a little training, the web could be just the web, rather than a spider web.
Sémafor Conseil offers training on security web that teaches developers not only how to secure web applications, but also how to think and work like cybercriminals, and how to learn to be always ahead of them. This training is given in partnership with Thinkcyber , the cybersecurity training firm that even trains the Israeli army’s cybersecurity units. There’s no training that’s more advanced and cutting edge on the market. In addition, students put into practice the acquired knowledge through practical exercises with real case studies in the Cyber Arena.