Sony hacks highlight need for secure software development

14 Jun 2011

Cyber attacks like those targeting Sony’s PlayStation Network are a tipping point in highlighting the need for more secure applications, the head of the Irish chapter of the Open Web Application Security Project has said.

Many of the attacks against Sony are down to weak application security, said Fabio Cerullo, chairman of OWASP’s Ireland chapter and organiser of OWASP’s AppSec EU conference which took place in Trinity College Dublin last week. “It has been reported that Sony is now on its 13th attack across different sites and most of these are basic – some of the sites fell victim to basic SQL injections so it is a big problem and it has to be fixed,” said Cerullo last week.

A recent study of information security professionals by Frost and Sullivan identified application security as the No 1 threat to organisations. The survey was carried out for (ISC)², the International Information Systems Security Certification Consortium, the not-for-profit provider of training and certification for information security professionals.

Richard Nealon, a member of the board of directors at (ISC)² said many organisations that build their own software make the mistake of thinking their applications are stronger than commercially available packages. “The applications that are developed internally aren’t shown to be any more secure than the applications we buy from vendors,” he said. The discrepancy is down to perception because many vendors publish the vulnerabilities. “So many applications that businesses may be running are equally as buggy,” Nealon told Siliconrepublic.com.

Cyber attacks carry a price

The consequences of a cyber attack are potentially very damaging, costing businesses money and possibly putting their existence at risk, Cerullo added. “The Sony incident is a milestone. From now onwards, there will be a lot of attacks being carried out and people trying to prevent those attacks. If you are an e-commerce store and you are down because of a SQL injection for a week or so, you’re out of business. So application security is becoming more and more important by the day,” he said.

Developing more secure applications costs money and adds to the time needed to write and test the code, but that’s nothing compared to the potential costs of a major breach, said Cerullo. “If you think about when the PlayStation Network went down, Sony talked about millions of dollars just to fix the issue and compensate users. If you use that money to develop an appropriate application security programme from the top down, you could save a lot of money.”

OWASP’s AppSec Europe 2011 conference, one of the group’s four major global events, was held last week in Dublin at Trinity College. Cerullo said the increased attention on application security was reflected in the high attendance. The four-day event covered training modules and keynote presentations, attracting more than 250 delegates.

OWASP is a global non-profit group which aims to improve the security of application software. Participation in OWASP is free and the organisation makes all of its materials freely available under an open software licence. Ireland is home to one of the group’s largest chapters worldwide because of the high number of technology companies located here, said Cerullo.

Gordon Smith was a contributor to Silicon Republic

editorial@siliconrepublic.com