What does the DBIR show us?

I just finished reading Verizon’s insightful 2012 Data Breach Investigations Report. As usual, well-known vulnerabilities such as guessable / brute force credentials and SQL injection continue to be the root cause for the vast majority of hacking-related breaches. The report reminded me of a really insightful presentation from Source Seattle last year by Myles Conley. He claims that we’re not necessarily lacking “app sec” experts, but rather we’re lacking project management in information security. The premise is clear: the information security community has the know-how and capability to prevent many of the simple attacks that result in breaches. Consistent, disciplined execution of these preventative measures is where we struggle.

Atul Gawande noted a similar challenge with deaths arising from surgical defects in The Checklist Manifesto. Creating a checklist of simple measures, like forcing each member of the surgical team to introduce themselves at the start of the procedure, resulted in a 47% reduction in deaths arising from surgical complications. Dr. Gawande and his team gleaned their insight about the power of checklists from the safety track records of other industries such as aviation.

Information security can also learn from the track record of other industries. Checklists for preventative measures in the development process can help us establish simple, lightweight governance similar to pilot pre-flight checklists. The challenge we face, however, is that unlike flights and surgical procedures, preventative information security controls & procedures tend to vary wildly by factors such as industry, technology stack, compliance requirements, etc. One simple checklist just isn’t sufficient for every piece of software. Moreover, many practitioners are turned off by a “checklist approach to auditing” because of poor experiences with auditors who use inefficient, static checklists to review a large variety of security controls. This challenge led us to using dynamic, profile-based checklists in the design of SD Elements. We truly believe that applying consistent, lightweight checks for preventative security controls will help us significantly reduce the number of incidents arising from well-known, preventable defects. Indeed, some of the most mature application security organizations we speak to already have built this capability in-house.

Checklists aren’t silver bullets. Applying the whole range of information security best practices, including vulnerability assessments, is still critical to securing information systems. That said, consistency in applying well-known controls will raise the bar for attackers. After all, as the DBIR reports, “97% of breaches were avoidable through simple or intermediate controls”.

Previous Article
I know you'd love CPEs and free OWASP training
I know you'd love CPEs and free OWASP training

Author: +Oliver Ng I’m happy to announce a partnership with ISC2 to bring you our OWASP course complimentar...

Next Article
The “Security is Special” Problem: Cultural Challenge #2
The “Security is Special” Problem: Cultural Challenge #2

This is the second entry in a series on cultural challenges of application security. Steve the application ...


Schedule a live demo

First Name
Last Name
Company Name
Thank you!
Error - something went wrong!