Sure, the KISS rule ("Keep it simple, stupid!") sounds a little harsh, but it's an easy way to remember a universal truth: Processes work best when they aren't overly complicated. One area at risk of overcomplication is application security. This isn't surprising — bugs like Bash and Heartbleed, along with flaws such as the Misfortune Cookie or GHOST, seem to pop up at every turn, making IT professionals and enterprise executives understandably nervous. For enterprises, the result is often a bloated security structure that seems safe by virtue of its complexity, but which actually puts data at risk thanks to multiple vendor layers that don't always overlap. In reality, it's possible to stay safe following a much easier set of rules: be smart, think simple and get secure. Here's how it works.
The first step in protecting your application assets? Be smart. Consider the unfortunate case of Moonpig, a personalized greeting card company. As an International Business Times article noted, a flaw in the company's Android app made it possible for hackers to steal customers' names, birth dates, street addresses and email addresses, along with the last four digits and expiration dates on their credit cards. An app developer contacted Moonpig in 2013 and was told the problem had to do with "legacy code," but when the issue was still unresolved in September of 2014, he brought it to the public. While there's no evidence of compromised accounts, the lack of app security is troubling.
So what happened? Chances are, the company used either third-party code or a third-party provider to design its app security and simply didn't know it wasn't up to snuff. For enterprises, the same temptation exists: Reputable third-party code can slash development times, and if you're using an IoT-capable device supplied by a third party, it's often easier to let that third party handle security as well. Being smart about application security means getting involved and knowing both who's responsible for designing defenses and what's in place to protect your interests. It's no longer enough to plead ignorance, because both black- and white-hat hackers are out to test company networks for possible failure points.
Developing an end-to-end view of application security in your enterprise can easily contribute to the notion of increased complexity — after all, once the sheer number of inward- and outward-facing apps is tallied and the risks assessed, it can often seem like an insurmountable task to secure each one. But consider the repercussions of the Backoff malware: POS machines only peripherally connected to a secure network were ultimately responsible for millions of dollars lost and credit card data stolen.
IT professionals are understandably concerned that a simple approach comes packaged with inherent flaws; after all, no two apps are alike, and they all have different levels of data access, read/write permissions and the ability to communicate outside secure corporate networks. Keeping things simple means recognizing that while applications differ when it comes to function, they're all built on a similar form. By leveraging a cloud-based security solution that scans apps throughout their lifecycles for potential flaws and backdoors, it's possible to achieve both simplicity and an in-depth view of your app landscape.
Once you've identified potential failure points and have an agile detection system in place, the final step in enterprise application defense is enhancing security on an app-by-app basis. Consider the Facebook at Work app. A TechTarget post explains that while there is potential for the social media giant to make business inroads through the app, beta users already have several concerns, including a lack of news feed controls, organizational access to employees' status changes and ambiguities surrounding data governance. There's no clear answer on what Facebook stores and what it doesn't, making it difficult for enterprises in case of an audit or compliance review.
Combating problems from missing features and skipped-over security steps is possible — if enterprises are willing to commit time and energy to smart and simple processes. With the right groundwork in place, IT professionals can devote their time to improving applications rather than chasing down potential flaws.
Want better enterprise application security? Follow the KISS method: be smart about identifying security controls, opt for simplicity when it comes to protecting apps and maximize IT impact by giving them room to work.
Photo Source: Flickr