Just about a year ago, Equifax made history by suffering one of the most disastrous breaches the world has ever seen – all because secure coding practices were not followed. Nearly 150 million personal records were exposed in the hack, creating a media firestorm which still has not ended for the credit reporting company. The cause? Multiple poor decisions were partially to blame, but the primary player was something very tiny: a bug in the Apache Struts MVC framework that Equifax used to host its application. Apache had already released a patch to fix this particular vulnerability, but Equifax had not bothered to run the update. Not only were 150 million records compromised, but also the reputation of a massive organization and the digital identities of those affected…all because of one piece of code that could have been prevented with secure coding.
Among the many lessons that Equifax taught business leaders over the past year, this one might be the most important: secure coding practices matter every bit as much as the other security considerations on which organizations focus. Although it may be difficult due to the technical nature of developers’ output, business leaders are just as responsible for understanding the inherent risks involved with software development and how to prevent them as they are for understanding and preventing other threats to security, such as phishing attacks.
That’s where the OWASP Top 10 comes in. Described as a “powerful awareness document for web application security,” the Top 10 are designed to provide technical and non-technical employees alike with a comprehensive list of secure development and coding best practices. The Top 10 help demystifying a difficult topic by giving both developers and their supervisors an easy-to-understand (but also technically robust) protocol to follow when coding for security. As Equifax demonstrated, creating and maintaining a securely-coded application is far too vital to organizational security for business leaders to let it slide under the radar. The Top 10 provides an easy way to keep track of security protocols alongside your developers, and to create an organizational culture in which secure coding practices are understood and prioritized
Equifax is the example, but it doesn’t have to be the standard. If Equifax’s developers were in closer compliance with the Top 10–and if their supervisors were holding them to that standard–perhaps that flaw would have been noticed and patched sooner. Either way, the OWASP Top 10 provides business leaders with the perfect educational opportunity.
What Can You Do?
In a previously-recorded webinar, The OWASP Top 10: Understanding the Risks and Consequences of Unsafe Code, our Technical Director and long-time developer, Marina Kelly, explored the importance of secure coding practices and the OWASP Top 10, not just for developers but for entire organizations.