With everything a modern enterprise CISO has on his or her plate, it can be difficult to find the proper prioritization to ensure the best available business security. Application security hasn't traditionally been prioritized over other security-related tasks, such as password controls and employee education, but new research shows applications — especially web applications — may be weak points for many businesses. CISOs have to recognize the risk their unsecured applications pose, and take steps immediately to remedy the situation.
Security may have high visibility within modern enterprises these days, especially due to the costly security issues that always seem to be in the news, but given the sheer number of facets within security, CISOs may not be focusing on the right places. A new survey, as detailed in this CIO article, shows application security may finally be getting the attention it deserves. "Vulnerable web applications" ranked the highest of all the listed potential security threats, but with only 55 percent of respondents listing it as a top threat, there still may be some education required on that front.
As the article notes, application security can be the most difficult of the potential threats for CISOs to deal with, largely because solving the problem is much more complicated than just revising a password policy or reviewing a patch schedule. True application security can't be tacked on at the end. Legitimate hackers will have little issue getting around patched-together defenses to find the vulnerabilities they know exist in base code, and these defenses can leave firms with a false sense of security, causing them to do more harm than good.
With vulnerable applications finally getting the attention they deserve, CISOs should take the time to ensure their apps are as secure as possible, since even a little embedded security can be enough to send hackers after easier targets.
Truly secure applications have security injected into the earliest phases of their software development lifecycles, rather than added on just before they go live. This means data encryption, session restrictions, input validation and other security measures will be built into base code, and subsequent development won't do anything to disturb these features. Additionally, security testing will become a standard aspect of software testing, ensuring the security features added in the earliest stages of development continue to operate as desired in the final version.
However, given the shifting nature of the modern threatscape, injecting security into the development process is only half the answer. Securing applications against the current OWASP Top 10 will make for secure web applications today, but tomorrow's top 10 could be quite different, as new vulnerabilities are discovered and older, near-forgotten vulnerabilities once again rear their heads.
Staying on top of this can be difficult for any enterprise CISO, which is why a dedicated security vendor may be the answer. Not only are these businesses completely focused on the current state of modern cybercrime, but they also have the expertise required to seamlessly inject security into the earliest parts of the development process. These solutions are even better when they are cloud based: CISOs can use these vendors to secure one small team, then quickly scale everything up to cover an entire enterprise using the power of the cloud. Best of all, these businesses will constantly update their suggested development techniques and scanning practices to ensure emerging threats are covered.
Securing in-house applications against modern threats is a major step for any CISO, but it's only one step in the process. Third-party code, obtained either through outsourcing or the use of open-source software, is everywhere these days — and since it's built outside the enterprise, its security bona fides can be difficult to determine. Often, CISOs and information security personnel just have to take a vendor's word on the application or snippet's security, and that simply isn't good enough given the stakes for a modern enterprise.
The right security vendor can help here as well. The top vendors in the industry have tools at their disposal to perform a static scan on applications, even without access to their source code. This binary static testing will help ensure outsourced applications can withstand many of the modern attack vectors; when used in conjunction with third-party security audits, it can go a long way in providing peace of mind regarding third-party application security.
In the end, CISOs have to review their application security processes, finding ways to provide security practices and policies that are more comprehensive and more malleable. It's the only way to ensure their applications are as secure as possible.