The growth in cybercrime generally is well reported, but South African CIOs are still not taking it seriously enough – particularly when it comes to application security. 
According to respected research firm Gartner, 75% of attacks are directed at the application layer, and 75% of successful attacks target vulnerabilities that were already known.
“These statistics tell us both that not enough attention is being given to security in general, and application security in particular,” says Ziaan Hattingh, MD of IndigoCube, a company that focuses on improving the productivity and predictability of key business processes in large organisations.
“And when one considers that South Africa is the third most targeted country for cybercrime, then it’s clear we have a major threat on our hands.”
Because there is no legislation mandating the reporting of cybercrime, local statistics are not accurate, and the real picture could be much more serious than people think.
Cybercrime cost South African citizens and businesses more than R1-billion in 2011, according to Sebastian von Solms, research professor in the Academy for Computer Science and Software Engineering at the University of Johannesburg and a doyen of the local security industry.
And Symantec, a leading vendor of security software, says that cybercrime in South Africa was moving down the value chain to target even smaller businesses.
A key problem, Hattingh believes, is that many CIOs focus their attention on access control and infrastructure security. What gets left out is Web application testing and source code analysis – the two methods for testing the security of the application layer. Common vulnerabilities include SQL injection and cross-site scripting, which enable hackers to obtain access to systems and, crucially, the data they contain.
“Data is the big prize, because it is the key to unlocking access to individual and corporate funds,” Hattingh says. “Security testing is vital to understand where your applications are vulnerable – without that understanding, it would be impossible to fix it.”
Software testing came into being because developers do make mistakes, and some of these mistakes could lead to security vulnerabilities. Therefore, it stands to reason that security testing should form part of the bigger software testing or quality control function. And, as Hattingh points out, the sooner a security breach is detected in the software development process, the cheaper it is to fix.
Pending legislation is set to compel South African companies to take the protection of personal data more seriously—the Protection of Personal Information Bill will, when it becomes law, impose liability on an organisation for security breaches. This will bring South Africa into line with other countries that have already enacted data-protection legislation.
It’s not all doom and gloom, though. There are numerous resources to help CIOs come to grips with security in general, and Web applications in particular, Hattingh notes. More particularly, the Open Web Application Security Project (OWASP) has developed a Software Assurance Maturity Model that provides a guide to building security into software development.
“Business today is all about opening up to partners and customers, and that openness increases both the opportunity for growth and the risk of data loss,” says Hattingh. “We need to take action to secure our applications.”