‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app
Friday, June 25, 2021
Any developer under pressure to release new functionality may, Wright suggested, be under the false assumption that the worst that can happen for their customers is an annoying popup box. “In reality, this could lead to things such as an attacker being able to steal a victim’s session, being able to redirect victims to phishing pages, or even a user’s browser being controlled using tools such as Browser Exploitation Framework (BeEF).”
One of the dangers of taking that 81 per cent “knowingly” statistic at face value is that not all vulnerabilities are high risk or, indeed, exploitable in the production environment. This means, according to Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, that “releasing applications with vulnerabilities is not necessarily a highly dangerous practice”.
He explained how many automated security tools erroneously present various unexploitable warnings such as missing secure flags on cookies without any sensitive data and minor misconfigurations related to HTTP headers, for example, as high-risk vulnerabilities that developers readily ignore. “In many organisations, pressure from business is extreme, and developers are forced to go into production too early and fix vulnerable code in flight mode due to tough time constraints.” Read Full Article
SecurityWeek: EU Announces New Joint Cyber Unit to Protect Against Critical Attacks
Compliance Week: New tech, legal precedent forcing GDPR to evolve