On today’s webinar, “Web & Mobile Applications: The Silent Assassins in your Cyber Security Strategy”, we will discuss the evolution of the application security perimeter with Erik Peterson, Veracode’s Director of Product Strategy. Erik will highlight how mobile devices and web applications are impacting security teams and present guidelines for addressing the changes to our security environment. Obviously, the full webinar couldn’t be condensed into one blog post, so here is a preview of the discussion.
The Silent Assassins in your Cyber Security Strategy
The world of information security is changing and application security teams must evolve their programs to address the entire application perimeter, including mobile devices, web applications, and purchased software. While we all recognize the great job we've done locking down our networks and endpoints, hackers are still getting in and accessing our data. Let’s face it: they're getting in through the applications. For all organizations that reported the source of breach incidents in 2011, 40% were traced to application security issues (source: Data Loss Database). Whether used over the web or on mobile devices, your company’s data depends on secure applications for protection. However, this need for security is in opposition with accessibility; both employees and customers must interact with your company’s data. Instead of standing in the way of productivity, application security teams are working to adapt their systems, polices, and development strategies in order to keep up with these trends. However, as teams strive to address the changing environment, threats continue to proliferate and breaches remain costly: $194 per compromised record.
BYOD is not helping.
Yesterday’s launch of the latest iPhone only guarantees that every tech-savvy employee will be begging IT to let them use the latest and greatest smartphones at work, be it the iPhone 5 or the fanciest - potentially patent-infringing - Android. But more likely, they will simply connect their device to their corporate network without informing IT. A recent report states that 34% of CIOs think employees are accessing their network with personal devices and 69% of users confirm they are indeed accessing their corporate networks with a personal device. (Source: IDC) How can application security teams get ahead? To start, control you application perimeter:
- Map you application perimeter. Security must know every device that is accessing company data.
- Embrace 24/7 application testing. If it’s on the internet, it’s already getting round-the-clock testing, so you might as well get to see that report.
- Verify the security of your Third party applications by performing independent security testing of your purchased software.
In the long term, you need to build up your application security program from Ad-Hoc testing to mature, proactive risk management, which includes the seamless on-boarding of developers, suppliers, and acquisitions.
