In the software world, a lot of problems comprise two segments: the why, and the how. Usually, it's the how that gets results.
Take the increasingly important practice of perimeter management. Sure, we all know why it's important to secure the perimeter, so to speak, by keeping our sites, apps and so on locked down, but knowing how to keep them airtight is what really matters.
So, what's the secret to securing your perimeter? As a Veracode case study says, knowing what's there and how to find and define everything, combined with a liberal smattering of automation, makes it easier than ever to secure the perimeter.
In theory, the first tentpole of proper perimeter management sounds pretty simple: To know which apps are secure and which ones aren't, you have to know all the apps your firm is using.
The problems start when we take this idea into practice. The larger a company grows, the harder it is to keep a thumb on every bit of software under its banner, a fact that stays true whether you're talking about customer-facing applications or internal-use web apps and the like. For instance, in Veracode's "Global Media and Technology Company Gains Visibility into Mobile App Perimeter" case study, the company in question had 100 percent more apps than expected available for download — while your company may or may not have that many projects out there, it illustrates the point that knowing your perimeter is half the battle.
Even crazier, the company in the case study was only concerned with apps published on markets such as iTunes and Google Play. Most large companies must look in other areas to truly secure their perimeters. Legacy websites often serve as points of entry for larger, nastier attacks, as do sites connected to software vendors and other third-party businesses.
Whether you're talking thousands of submitted mobile apps from authorized publishers or a handful of sneaky legacy web apps, defining every nook and cranny is perhaps the biggest challenge for companies trying to protect the perimeter. Once those nooks and crannies are found, however, they must also be tested — and both problems lend themselves perfectly to automated scanning and testing.
In the end, looking for apps and flaws within those apps is not a great job for humans. It's boring, repetitive work, with countless intricacies and enough time-chewing variables to throw off entire teams of crack security personnel.
That's what makes the solution presented in the case study so innovative and well-suited to the way most companies have built their perimeters over the years. In the company's case, it needed to see how its published apps were behaving — how they treated user data, for instance, or how close certain actions they undertook came to malware-style activity.
Moreover, the automated system took into account two other aspects of effective perimeter management: finding security flaws, and confirming adherence to corporate security policy within the apps it discovered.
That second point in particular is huge, even if a given company's perimeter consists entirely of internal-use apps. It's not the customer-facing apps that cause the most trouble, after all — often, attackers use minor flaws in low-priority and/or forgotten systems to leapfrog into larger, more secure areas, where they're able to access more valuable data.
All the strengths that make automated systems great at looking for sites and apps on the perimeter also help them excel at finding errors within them. Instead of employing costly penetration testing at a set point in the schedule, automation helps secure the perimeter twice over: by checking the apps constantly throughout the SDLC and putting apps produced before its implementation to the same sort of scrutiny.
In the end, a business must know what its perimeter comprises to keep it secure. No one has time machines, however, and that makes keeping legacy apps and others built prior to an enhanced security focus uniquely difficult; it's easy to see how overarching plans help secure the perimeter, but that doesn't help for the stuff that's built more or less ad hoc in the years leading up to now.
Going forward, the best advice is to make sure you know exactly where your company's apps are, what they do, and how secure they are, and consider keeping a centralized document explaining that info for the company's overall benefit. For the stuff built in the past, confirming and securing every bit of your old-school perimeter is just as important. In both cases, automation can help — and it'll only grow more important as your perimeter grows in complexity. That's a "how" almost any company can act on.
Want to learn more about securing your company's perimeter? Check out Veracode's case study.
Photo Source: Wikimedia Commons