Site icon IT World Canada

Continuous testing needed to find vulnerabilities in code, says vendor

Basic security hygiene like identity and access management can solve a lot of network-related security problems. However, software vulnerabilities that come from development slips are more subtle yet have the same outcome: Data theft.

In its annual Top 10 list of application vulnerabilities of 2019, WhiteHat Security says it wants to show how even well-known products, like Google’s search page, can have bugs that could lead to intrusions.

“Even companies you think are secure, there’s always one level deeper that you can dig if you really look for them,” Bryan Becker, WhiteHat’s product manager, said in an interview.

Some of them are so obvious in hindsight, Becker said, such as the cache vulnerabilities on the list. Researchers used old techniques to find something new.

These are not the most commonly exploited application vulnerabilities, he added, but the ones discovered in 2019 that WhiteHat found most interesting.

Related:

How to help developers write secure code

 

One of the biggest lessons, he said, is that software developers and security teams have to work closely.

“Developers have challenges,” he said, “and these are shared with the security team. Developers have the challenge of writing secure code without actually knowing what that means, and the security team has the challenge of helping them know what that means and training them . . . but there are so many layers you can’t solve it in one easy fix.”

Among the vulnerabilities are:

The security team will give lists of the vulnerabilities it finds, Becker said. But should also say, ‘Here’s the status of your team today, here’s where we want to get to in the next six months, here’s how we’re going to help you get there.’

“Make it a team effort.”

Exit mobile version