Why Is Security Important on Web Applications?
In 2012, Yahoo was hacked. Due to poor database security configuration, user passwords were released publicly. You can imagine how much this hurt their business, and how much money they lost - not to mention the effect it had on 450,000 users! š±
Could such a massive breach have been prevented?
Sure! š Did you know that 80% of the data breaches and hacks committed on web applications can be traced back to poor coding practices leave the code vulnerable, giving those malicious characters an advantage?
More and more businesses are using web applications to handle private data, such as personallyĀ identifiable information, or PII (your name, birthdate, national ID number, etc.). They can also handle credit card information. Someone could take advantage of this is sensitive data!
In addition, a data breach damages the business itself. They lose money from the lost data as well as credibility. šš³ Many have gone under due to data breaches or web application attacks. Do a quick Google search for āData Breach SQL injection.ā You will see that Yahoo isnāt the only organization affected by such a terrible deed!
As you can imagine, it is important for businesses to ensure the security of their information!
So data breaches come in all shapes and forms. They can range from insiders emailing competitors trade secrets for money, to a simple email with financial data sent to the wrong recipient! Either way, training is crucial for insider threats such as these.
In this course, we will be talking about data breaches that occur from common outside attacks. These breaches are specifically related to web applications.
How Do Companies Manage Risk?
It can cost a lot of money to set up secure practices in a company. All businesses have assets they need to protect. Assets can be physical equipment such as servers and phones. They can also be very important data that the company must protect. Managing risk in business involves figuring out how much an asset is worth, and how much it will cost to secure it.
For example, if I had a set of data worth $10 and it will cost me $100 to secure it, would it be worth securing? Probably not.
How about data that could potentially be worth millions and would take $100,000 to secure? Would it be worthwhile to ensure against risk? Yes!
Besides the value of an asset and the cost to secure it, a business can also consider the likelihood of a breach happening. Letās look at Annualized Loss Expectancy (ALE), which is a measurement of risk taken based on the probability that the asset will be breached.
First, letās look at how much a breach to this asset would cost if it happened once. This is called Single Loss ExpectancyĀ (SLE). You factor the product of the NetĀ Asset Value (NAV) and the Exposure Factor (EF). Letās say an asset is worth $100, and there's a 20% likelihood that it will be hacked. Your SLE is $20.
Single Loss Expectancy = Net Asset Value * Exposure Factor
SLE = NAV x EF
$20 = $100 x .2
Now letās say that your asset is likely to be hacked twice in a year. You will take the SLE, which is $50, and multiply it with its Annual Rate of Occurrence (ARO), which is two times.
This formula shows that the probable loss from a breach over an entire year would be $100.
Annualized Loss Expectancy = Single Loss Expectancy * Annual Rate of Occurrence
ALE = SLE x ARO
$40 = $20 x 2
Who decides how important it is to budget for security and how much they are willing to risk? Is it the systems administrator in your organization? Letās think about it. Ultimately, they are just doing what they are told and are not required to go beyond the security policy. Ā Someone is there to tell them what they should secure.
What about IT management, such as the chief technology officer (CTO) or the chief information security officer (CISO)? Well, they can come up with suggestions or a plan, but if those get shot down because of a lack of funding, how can they be to blame?
So who is it?
The CEO (or president) of the company makes the decision on where the money goes. If they are responsible for the security budget, they are also ultimately responsible for a data breach!
What does that mean for me?
If the CEO provides funding for strong security policies, that means they will want to secure their web applications. It also means that they are looking for the secure coding hero that sets you ahead of the game! You see, learning to secure your code and create quality software makes you a complete lifesaver for these businesses! Not only do you save them time and money, but they will also know they are in good hands because of your unique skills!
Letās Recap!
Data breaches on web applications are common and happen even to large companies.
A web application attack can cause a business to lose a lot of money and their reputation.
Risk is measured by comparing the value of data with the cost to secure it.
The CEO or the president of the company is held responsible for the security policies in the
organization and appropriating the proper funding for security.Ā