Do you think you don’t need application security? Maybe you think application security is too complex, or too expensive. Maybe you think, we haven’t been breached yet, what are the chances? And even if someone tries, we have a WAF.
It might seem more cost-effective to simply “do nothing” rather than invest in application security. But you should be aware that there is indeed a cost associated with “doing nothing” when it comes to application security.
You do have a good chance of suffering a breach through the app layer – no matter your size or industry.
Verizon recently studied 2,260 confirmed data breaches across 82 countries and found that 40 percent resulted directly from web app attacks, by far the largest category. In addition, according to Akamai’s Q3 2015 State of the Internet Security Report, attacks at the application layer are growing by more than 25 percent annually.
A recent blog post on pcicomplianceguide.org observed that “the average consolidated total cost of a data breach is $3.8 million. With each lost or stolen record costing an average of $174, even 500 compromised payment records can exceed $75,000 in liability for a breached merchant.”
And that’s a conservative number considering that breach-related costs include:
Many regulators, in many different industries, now require some application security controls be put into place. And with the increase in breaches through the app layer, they’re paying closer attention to application security controls.
Regulations that now require application security controls include:
What’s the cost of failing to comply? Here are two examples:
You might think you are “doing something” to protect your app layer if you’re relying on network security solutions, but, in fact, you are “doing nothing.” Protecting the network layer is not the same as protecting the application layer, and network solutions do not protect your organization against application-layer attacks.
But most organizations continue to focus their budgets on blocking attacks at the network/infrastructure layer, while neglecting today’s real threats. Cyberattackers know this and are taking advantage of the insecure app layer.
A web application firewall is not an adequate application security solution either. Firewalls were designed to handle network-events, such as finding and blocking botnets and remote access exploits. Some can address application-level events — but not as well as application-layer solutions, and only with significant effort to configure and monitor them. Ultimately, they don’t fix application-layer vulnerabilities, but rather, simply mitigate them.
Effective application security requires an application security program that involves multiple technologies designed specifically to assess the security of the application layer, and addresses the security of applications from development through to production.
Neglecting to address application security will not save you money. In fact, it will cost you, most likely a significant amount, in the future. Applications play a pivotal role in today’s digital role, and need a correspondingly pivotal place in your security plan.
How do you get started? Find out from someone who's been there in our new guide, From Ad Hoc to Advanced Application Security: Your Path to a Mature AppSec Program.