Some common vulnerabilities are coming up to their 30th birthday, and some were “coined in the days of Netscape Navigator.”
Speaking at Irisscon in Dublin, Edgescan CEO Eoin Keary said that one of the problems in cybersecurity is vulnerability management being siloed, and network security and web application security testing being determined as another silo and “something to look at is our assets as a full stack which will continually change all the time.”
Keary said that code is pushed out by developers as part of their job which drives the company daily, and applications are deployed quicker, so we need to realize what impact a penetration test will have. “A one-off penetration test is a snapshot in time and by the time the report is delivered, new code is deployed and the system has changed,” he said.
Keary made reference to the Magecart attacks, saying that with some intelligence of the change in code these types of attack could be prevented. “Change gives rise to risk and gives rise to vulnerabilities.”
He said that full stack security should be considered over a one-time penetration test, but also the pitfalls of DevSecOps also need to be understood “as it gives you a false sense of security and you will catch the low hanging fruit.”
Also speaking at the conference, Dave Lewis, advisory CISO at Duo Security, cited the vulnerabilities that allowed the WannaCry ransomware to spread, saying that this was “something that was a known bad for a decade” and “we need to do better than this.”