Andrea Danti - Fotolia
Businesses today rely on their websites and web applications to stay competitive and sustain revenue. However, that same business imperative simultaneously creates one of the biggest threat vectors to any organization today.
In this Q&A, Neill Feather, president of SiteLock, a business website security provider, delves into this issue. He explains that while news surrounding security issues may suggest that large enterprises are the most at risk, it's actually small businesses that are the biggest targets. He also dives into what role developers need to play in the secure web development process and why web security is something everyone should be concerned about.
What concerns you most about secure web development?
Neill Feather: Planning is lacking [for when] the worst happens. You can see examples of it; I think Equifax probably is a good example of [having] seemingly plenty of time to respond, and the missteps that were made in terms of their response have been pretty well-documented. And that's a big company that spends a lot of money on security.
Why do so many businesses still fail to secure themselves even with so many high-profile attacks in the news?
Feather: The reality is that the majority of attacks do target customers with a hundred or fewer employees. But when they watch the news, they don't see people like them being victims of these attacks; they see people like Equifax. The truth is that with the degree of automation and things that these attackers are deploying, they're able to very efficiently [find] small businesses or small entities that they can compromise and take advantage of.
So you hear a lot about consumers and you hear a lot about enterprises, but the small business is a story that hasn't been told as much, or is not resonating as much. But it's definitely more than half are targeting small businesses these days. And the reason simply is they're low hanging fruit. A lot of them aren't protecting themselves. We see over sixty attacks a day per website on typical medium-sized websites. You don't have to be Sony to attract the attention of a cybercriminal. You just have to have a web presence, and you've got something of value for attackers.
Are the tools that can help those smaller companies achieve secure web development readily available?
Feather: I think right now we're in a place where there are really good tools. And to a large extent, we're underutilizing some of the tools at our fingertips. Some technologies have been pretty well-adopted in enterprises, like static code scanning [and] automated web application firewalls.
But they are still, by and large, underutilized in the overall IT [world]. Less than 10% are actually running security on their websites.
Is it a case where they do not have room in their budgets to afford the tooling?
Feather: I think there's a perception that it's really expensive. You know, the reality today is that there are affordable products for businesses of all sizes to protect themselves. But I think that's definitely a perception out there that, even if [they] wanted it, [they] couldn't afford it anyway.
I think it is affordable, and it's worth it. So I think on both axes, we have some work to do to overcome some of the misperceptions out there.
What is your opinion of the idea that developers need to become security experts in order to create a secure web development process?
Feather: I think this is an area where technology does have a role to play. Although [developers] don't necessarily need to be security experts, [they need to] have the security issues pointed out to them.
Any time that you can make that easy for them and help them get there [is] really useful for the organization, from a security standpoint, and also for the developers to make their lives easier. They've got a lot to worry about, and security is something that can be an additional burden on the developers. We can automate it to take away some of the burden facing development teams. And you want to make sure that, as you're fixing security, you're not introducing additional hurdles or complexity of applications that are critical to your business.
Is secure web development something that the general public should be worried about?
Feather: I don't know how you can look at everything going on and not be at least a little bit concerned about protecting yourself and your family's identities and privacy and all of that. I think what makes me hopeful is that there's a lot of energy around protecting not only consumers but businesses. And it's even still a relatively new area for folks, so I'm optimistic that we're going see our way through this like we have with other security. But there is definitely reason to be a little apprehensive with the things that have gone on over the last year or so.
Access our guide to application development and DevOps security
Discover why microservices architecture security can be a hassle
Learn why it's time to rethink security in RESTful API design