The 2016 Verizon Data Breach Investigations Report (DBIR) is out and everyone is poring over the report to see what new insights we can take from last year's incidents and breaches. We have not only created this post to look at some primary application security takeaways, but we also have gathered guest posts from industry experts. Keep checking back this week to hear from people living at the front lines of web application security, as well as commentary from several of our customers who provided some quick takeaways that can help you and your team.
Let's dive into four key takeaways from this year's DBIR, from an application security point of view.
1. Protect Your Web Applications
Web app attacks remain the most common breach pattern underscoring what we already know - that web applications are a preferred vector for malicious attackers and they are difficult to protect and secure. The figure below shows that 40% of the breaches analyzed for the 2016 DBIR were web app attacks.
2. Stop Auditing Like It's 1999
We've said this before and we'll say it again. Applications are evolving at a rapid pace and they are becoming more complex and more dynamic with each passing year. From web APIs to Single Page Applications, it's critical that your application security experts not only understand the technologies used in your applications, but also find tools that are able to handle these modern applications.
As we pay our respects to the dearly beloved, Prince, please, stop testing like it's 1999. Update your application security testing techniques, sharpen your skills, and make sure your tools understand modern applications.
3. No Industry is Immune
No industry is exempt from web app attacks, but some are seeing more breaches than others. For the finance, entertainment, and information industries, web app attacks are the primary attack pattern in reported breaches. For the financial industry, web app attacks are a whopping 82% of their attacks. These industries, in particular, should be assessing and gearing up their web application security programs to ensure optimal investment and attention.
4. Validate Your Inputs
As an industry, we have been talking about invalidated inputs forever. It feels like we are fighting an uphill battle. We strive to train our developers on secure coding, the importance of input validation and how to prevent SQL Injection, XSS, buffer overflows, and other attacks that stem from invalidated and unsanitary inputs. Unfortunately, too many application inputs continue to be vulnerable and we are swimming against a steady stream of new applications written by developers who continue to repeat the same mistakes.
That's our take on the 2016 Verizon Data Breach Investigations Report. We would love to hear your thoughts in the comments! Please check back throughout the week to hear what some of our favorite web application security experts have to share about their key takeaways and reactions from this year's DBIR.
For more perspective in this year's DBIR through an application security lens. Check out the rest of the blogs in this series.
- 3 Web App Sec-ian Takeaways From the 2016 DBIR
- Social Attacks in Web App Hacking - Investigating Findings of the DBIR
- 2016 DBIR & Application Security: Let's Get Back to the Basics Folks
Be sure to check out The 2016 Data Breach Investigations Report Summary (DBIR) - The Defenders Perspective, by Bob Rudis (aka @hrbrmstr).