Incidents and the buzz<\/strong><\/strong><\/h4>\n\n\n\nIf there is one event that made fear spread like wildfire among software consumers in 2017, it was the mass hijacking of information perpetrated by the WannaCry virus, which affected banks and businesses around the world. Following this high-profile media event, the IT world would never again be trusted as it used to be.<\/p>\n\n\n\n
This incident raised a great deal\nof interest concerning security, which led the press to increasingly report on\nthe shortcomings of the sector. <\/p>\n\n\n\n
A little-known case<\/a><\/strong>, but one that clearly shows the importance of secure development, is the one that resulted in a 144-month prison sentence for the two men who stole 160 million credit card numbers using an attack known as SQL Injection. This attack consisted of entering commands in a language understood by databases through user applications. When orders are transferred by an application to databases, the databases execute them and return the requested information normally, due to the fact that the application has the required credentials.<\/p>\n\n\n\nSpanish Small Business, a playground for criminals<\/strong><\/strong><\/h4>\n\n\n\nThe press also reported<\/a><\/strong> on the impact on Spanish SMEs, which were the victims of 70% of the attacks in that country, with losses of around 75,000 euros per incident, estimating the total losses at 14 billion euros in one year. <\/p>\n\n\n\nThe states have also echoed this circumstance and revealed figures<\/a><\/strong> like those from the Attorney General\u2019s Office, which says that in Spain 18,344 proceedings for online fraud (405 convictions), 272 for revealing trade secrets, 295 for computer damage, 68 for crimes against intellectual property and 144 for counterfeiting through ICTs were initiated. <\/p>\n\n\n\nIn 2017, 120.000 attacks were detected<\/a><\/strong> \u2013a new record for Spain\u2013 a rise of 140% in the last two years.<\/p>\n\n\n\nSpain is the ninth most-attacked\ncountry, behind Italy in eighth place, and with Russia top of the list. The\nUnited States ranks 5th.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.alvantia.com\/wp-content\/uploads\/2019\/07\/Imagen1-1024x602.png\")
<\/figure>\n\n\n\nThe trend: a hybrid combination of social engineering and malware\npurchasing<\/strong><\/strong><\/h4>\n\n\n\nWeb vulnerabilities base their\nattack vector on developers being the weak link, so that, by taking advantage\nof their ignorance, or carelessness, information can be obtained about the\napplication, the system containing it, or users and customers.<\/p>\n\n\n\n
But the increasingly sophisticated\nattacks are not normally based on just one attack vector. They also take into\naccount that a possible incorrect system configuration or user ignorance is a\nweakness and a way to get information.<\/p>\n\n\n\n
Therefore, an uncontrolled error in\nan application can provide system information to an attacker.<\/p>\n\n\n\n
Custom-made applications, the blind spot<\/strong><\/strong><\/h4>\n\n\n\nThere has been a lot of\nawareness-raising and companies have learnt by investing in protecting their\nnetworks against intrusion attempts by using antiviruses, firewalls and\nadvanced system security procedures. But this only slows down one part of the\nproblem.<\/p>\n\n\n\n
Attackers have realised that web\napplications are built with large vulnerabilities that provide a perfect way to\ncollapse the service offered to customers, corrupt or steal data, or obtain\ninformation about other vulnerabilities in the server-client infrastructure.<\/p>\n\n\n\n
We could compare this fact\ngraphically to equipping a house with a security door and leaving the keys\nunder the doormat.<\/p>\n\n\n\n
“More than 70% of security vulnerabilities exist in the application layer, posing a significant and immediate threat to users worldwide<\/span>\u201d,<\/span><\/em><\/strong> <\/span><\/em>said the recently deceased Howard A. Schmidt,\u00a0CISSP, board member of (ISC)\u00b2<\/a><\/strong> and chairman of the\u00a0Information Security Forum (ISF).\u00a0“<\/span><\/em>Too often, security is established at the end of the software life-cycle in response to a threat or risk.\u201d<\/span><\/strong> <\/span><\/p>\n\n\n\n
Spanish Small Business, a playground for criminals<\/strong><\/strong><\/h4>\n\n\n\nThe press also reported<\/a><\/strong> on the impact on Spanish SMEs, which were the victims of 70% of the attacks in that country, with losses of around 75,000 euros per incident, estimating the total losses at 14 billion euros in one year. <\/p>\n\n\n\nThe states have also echoed this circumstance and revealed figures<\/a><\/strong> like those from the Attorney General\u2019s Office, which says that in Spain 18,344 proceedings for online fraud (405 convictions), 272 for revealing trade secrets, 295 for computer damage, 68 for crimes against intellectual property and 144 for counterfeiting through ICTs were initiated. <\/p>\n\n\n\nIn 2017, 120.000 attacks were detected<\/a><\/strong> \u2013a new record for Spain\u2013 a rise of 140% in the last two years.<\/p>\n\n\n\nSpain is the ninth most-attacked\ncountry, behind Italy in eighth place, and with Russia top of the list. The\nUnited States ranks 5th.<\/p>\n\n\n\n<\/figure>\n\n\n\nThe trend: a hybrid combination of social engineering and malware\npurchasing<\/strong><\/strong><\/h4>\n\n\n\nWeb vulnerabilities base their\nattack vector on developers being the weak link, so that, by taking advantage\nof their ignorance, or carelessness, information can be obtained about the\napplication, the system containing it, or users and customers.<\/p>\n\n\n\n
But the increasingly sophisticated\nattacks are not normally based on just one attack vector. They also take into\naccount that a possible incorrect system configuration or user ignorance is a\nweakness and a way to get information.<\/p>\n\n\n\n
Therefore, an uncontrolled error in\nan application can provide system information to an attacker.<\/p>\n\n\n\n
Custom-made applications, the blind spot<\/strong><\/strong><\/h4>\n\n\n\nThere has been a lot of\nawareness-raising and companies have learnt by investing in protecting their\nnetworks against intrusion attempts by using antiviruses, firewalls and\nadvanced system security procedures. But this only slows down one part of the\nproblem.<\/p>\n\n\n\n
Attackers have realised that web\napplications are built with large vulnerabilities that provide a perfect way to\ncollapse the service offered to customers, corrupt or steal data, or obtain\ninformation about other vulnerabilities in the server-client infrastructure.<\/p>\n\n\n\n
We could compare this fact\ngraphically to equipping a house with a security door and leaving the keys\nunder the doormat.<\/p>\n\n\n\n
“More than 70% of security vulnerabilities exist in the application layer, posing a significant and immediate threat to users worldwide<\/span>\u201d,<\/span><\/em><\/strong> <\/span><\/em>said the recently deceased Howard A. Schmidt,\u00a0CISSP, board member of (ISC)\u00b2<\/a><\/strong> and chairman of the\u00a0Information Security Forum (ISF).\u00a0“<\/span><\/em>Too often, security is established at the end of the software life-cycle in response to a threat or risk.\u201d<\/span><\/strong> <\/span><\/p>\n\n\n\n
The states have also echoed this circumstance and revealed figures<\/a><\/strong> like those from the Attorney General\u2019s Office, which says that in Spain 18,344 proceedings for online fraud (405 convictions), 272 for revealing trade secrets, 295 for computer damage, 68 for crimes against intellectual property and 144 for counterfeiting through ICTs were initiated. <\/p>\n\n\n\n In 2017, 120.000 attacks were detected<\/a><\/strong> \u2013a new record for Spain\u2013 a rise of 140% in the last two years.<\/p>\n\n\n\n Spain is the ninth most-attacked\ncountry, behind Italy in eighth place, and with Russia top of the list. The\nUnited States ranks 5th.<\/p>\n\n\n\n Web vulnerabilities base their\nattack vector on developers being the weak link, so that, by taking advantage\nof their ignorance, or carelessness, information can be obtained about the\napplication, the system containing it, or users and customers.<\/p>\n\n\n\n But the increasingly sophisticated\nattacks are not normally based on just one attack vector. They also take into\naccount that a possible incorrect system configuration or user ignorance is a\nweakness and a way to get information.<\/p>\n\n\n\n Therefore, an uncontrolled error in\nan application can provide system information to an attacker.<\/p>\n\n\n\n There has been a lot of\nawareness-raising and companies have learnt by investing in protecting their\nnetworks against intrusion attempts by using antiviruses, firewalls and\nadvanced system security procedures. But this only slows down one part of the\nproblem.<\/p>\n\n\n\n Attackers have realised that web\napplications are built with large vulnerabilities that provide a perfect way to\ncollapse the service offered to customers, corrupt or steal data, or obtain\ninformation about other vulnerabilities in the server-client infrastructure.<\/p>\n\n\n\n We could compare this fact\ngraphically to equipping a house with a security door and leaving the keys\nunder the doormat.<\/p>\n\n\n\n “More than 70% of security vulnerabilities exist in the application layer, posing a significant and immediate threat to users worldwide<\/span>\u201d,<\/span><\/em><\/strong> <\/span><\/em>said the recently deceased Howard A. Schmidt,\u00a0CISSP, board member of (ISC)\u00b2<\/a><\/strong> and chairman of the\u00a0Information Security Forum (ISF).\u00a0“<\/span><\/em>Too often, security is established at the end of the software life-cycle in response to a threat or risk.\u201d<\/span><\/strong> <\/span><\/p>\n\n\n\n<\/figure>\n\n\n\nThe trend: a hybrid combination of social engineering and malware\npurchasing<\/strong><\/strong><\/h4>\n\n\n\n
Custom-made applications, the blind spot<\/strong><\/strong><\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.alvantia.com\/wp-content\/uploads\/2019\/07\/imagen2.png\")
<\/figure>\n\n\n\n