It’s always been one of IT’s worst kept secrets that in the face of performance issues with the network or applications, security goes out the window. As recently as 2014, survey respondents admitted that yes,1 yes they do disable security features to increase performance.
So perhaps it shouldn’t be surprising to find out that in 2017, speed is still trumping security. Except this time there’s a twist; this time it’s speed of deployment that’s causing security to be left behind. It’s no secret that the application economy is driven by time to market. In a 2014 study conducted by Vanson Bourne2, 94% of the line-of-business respondents felt an increased pressure to release more applications faster. Apparently, IT and app developers acknowledged that demand (based on adoption of Agile and DevOps in the past few years) and have been doing just that. Unfortunately, there have been some possibly unintended consequences of the rush to release associated with the application economy.
We turn now to Exhibit A. Exhibit A is a recent report sponsored by Arxan and IBM on the security of IoT and mobile applications3, in which respondents cited “rush to release” as the primary reason both types of applications are released containing vulnerable code. Interestingly, respondents tagged the pressure on app dev teams as being responsible, with 69% pointing the finger at rushing mobile app development as the source of vulnerable code, and 75% saying the same for IoT apps.
But that’s not the worst news coming out of this survey. No, not by any stretch of the imagination is that the bad news. Sit down and strap in, because it gets much worse.
In spite of pushing vulnerable applications into production (and into the hands of consumers), a staggering 44% admitted they aren’t doing anything to prevent an attack. Oh, they’re concerned about a breach occurring through those apps—58% fingered IoT apps and 53% mobile—but they aren’t doing anything about it.
Let us pause and reflect on that for a moment while we pick up our jaws off the floor.
We certainly might take the perspective that the risk doesn’t justify a red alert from the bridge, and certainly from a business perspective, it could be catastrophic to put on the brakes and slow down (or halt) the push to production because there might be a breach. That’s risk management, after all, and it’s an admittedly complex set of variables that factor into the decision.
But in light of reports regarding the prevalence of IoT-based attacks, these firms risk being hoisted by their own petards in a terribly expensive and embarrassing manner. With analysts predicting major growth in the inclusion of IoT components in new business processes and systems4, this laissez faire approach to securing both the devices and apps is bound to attract those seeking to exploit them. Whether to gain access to corporate environments or harness the albeit limited compute power of distributed devices, attackers proved in multiple incidents throughout 2016 that they are targeting this nascent technology and taking advantage of the lack of attention vendors are paying to the security of these devices. The world’s most powerful botnet, Mirai, launched multiple Tbps attacks in 2016, proving to us all that the threat to the Internet of Things was beyond measure. F5 Labs, with our data partner Loryka,5 has been tracking the hunt for IoT devices by hackers for over a year now,6 and the attraction (to hunting and exploiting) isn’t subsiding by any means. In fact, Telnet brute force events shot up 110% just between Q3 and Q4 during (and after) Mirai. (Spoiler alert: the rate for all of 2016 was more than 10 times that amount. Exact numbers will be published in F5 Labs’ next IoT report.)
Regrettably, it will likely take breaches that cause significant damage—to the brand and the business—before organizations prioritize security over speed of development.