If I’m honest, I’ll admit to a certain degree of schadenfreude when Tesco got hacked recently, I mean I did call these risks out a long time ago and they did choose to largely ignore them. What struck a bit of a nerve though was not just that they got hacked after turning a blind eye to the issues I’d found, it’s that by all accounts, they were compromised by very well-known risks. I mean c’mon – these are obvious, right?! Perhaps it was just another case of “you don’t know what you don’t know”.
But it did get me thinking – how many of the attacks we’ve seen in recent years simply exploited well-known risks? Sure, in hindsight the flaws that enabled the attackers to do bad things are usually obvious, but how often do we (and I say that collectively as the software industry) know these risks very well yet still let them creep into our software? I reckon it’s very often – too often.
When I wrote the launch blog post for my latest Pluralsight course the other day, I reflected on how even as I was recording the material on vulnerable WordPress plugins, Forbes got popped by what I speculated appeared to be that very risk. That course was about the OWASP Top 10 and is a “Big Picture” course, that is it’s a higher level overview than most my others and it’s designed to be easily consumable by pretty much anyone involved in the software process, not just developers. But it got me thinking – just how much of the Top 10 can we easily point to and say “There – those guys got pwned precisely because they didn’t understand their Top 10”. I’m going to write about it in more detail at a later date, but I reckon it’s lots. Actually I reckon it’s most, at least that’s what the anecdotal evidence suggests. I mean how often do we look at an attack (the recent Heartbleed bug aside) in retrospect and say, ooh, I’ve never seen that before?!
Around the same time as I was recording this course, Pluralsight was also thinking about security and we discussed it at length many, many times. In fact they agreed that security was so important that if an org fell afoul of bad security, they deserved a bit of a break in the form of free security training. Until April 25 (yes, only a few days from now), if you work for an org that’s been pwned in the last year, head on over to my post on their blog titled Online attacks are preventable. Protect yourself with free Pluralsight training for 1 month! then fill out the form and nab yourself a month of free training from the security library.
So that’s the crisitunity – yes, you need to have fallen on the unpleasant side of internet nasties but hey, now’s the time to take something away from that experience and develop the competencies to avoid it happening again. Chances are that most web software being built right now contains the very bugs that these courses address and could lead to the next set of web security news headlines. Now who can pass this onto Tesco for me? :)