For somewhere that doesn't technically exist, the perimeter can be a pretty scary place. A big place, too, at least for businesses that publish apps and use the Internet as a main tool of their day-to-day operations.
Put the two problems together and you have one of the biggest security and web app development challenges facing businesses today. Veracode sums up this problem in its "Addressing the Scalability Challenge with Cloud-Based Application Security" white paper, stating, "We need to discover and protect all of our web apps, but in a fast and scalable way."
Big, however, doesn't have to mean impossible. In fact, finding and protecting all the web, mobile and other apps under a company's banner isn't that hard, even if the collection in question spans multiple formats and several years. Following through on secure web app development and perimeter management is a matter of knowing what tools and skills to apply and where to apply them.
All sorts of reasons, actually. They're more or less freely available, for one thing. For another, they contain all the info novice attackers need to pull off fairly complicated hacks, attacks and breaches. And on top of that, a lot of businesses have connected apps — both internal and customer-facing — to poke, prod and generally mess with.
That third point in particular gets scary when you think about every bit of code your average big company puts online. For a humorous example of this idea at work, look no further than the Space Jam website: While Warner Bros. undoubtedly knows the site is up and keeps it running as a sort of tongue-in-cheek joke, there are countless businesses that don't remember the stuff they put online 30 years ago. Those sites, generally speaking, are going to be just as outdated under the hood, and that makes them a tantalizing target for attackers. A site built with 1996's understanding of secure web app development probably won't withstand modern attacks for too long.
To secure your business's entire web app development history, you need to know what's there. All too often, businesses depend on manual tools and testing to get this particular job done, a task that ranges between mind-numbing and impossible for humans to fully complete. For the companies with truly massive, truly disorganized perimeters, whole teams of people couldn't do what a simple automated scan can.
"Addressing the Scalability Challenge" refers to this stage as discovery: "[Closing] the visibility gap" by using powerful, automated tools in search of every nook and cranny of your company's perimeter. Instead of sending human assets on the enterprise equivalent of a wild goose chase, automated systems like Veracode's scour the web for every last hint of your company's digital footprint, working off a massive checklist that includes "corporate sites, temporary marketing sites, portals, mobile sites, international domains, acquired sites and even related sites (info, mail)," according to the white paper.
Automation doesn't stop being useful once your footprint's fully outlined. Up next is seeing what kind of risk your perimeter subjects you to by cataloging all the flaws and errors that could result in security headaches if they remain unaddressed.
Technically speaking, this sort of work requires multiple tools. For legacy apps, Veracode's DynamicDS (Deep Scan) takes an incredibly thorough look at your past bits of web app development. By looking at your company's perimeter like an attacker would, the tool provides the sort of depth and breadth that other scanning tools, particularly those built in the era of legacy apps, simply can't match.
Of course, automated tools can't do it all. By deploying experts to look at the results of a scan, the paper says, you further harden your secure web app development practices. In Veracode's case, experts are brought in to monitor results and provide advice based on the outcome, giving modern businesses the information they need to deal with software likely built by entire teams of people who no longer work there.
Big businesses have big digital footprints. So big, it's hard to get a complete view of all the software they have on the web. A thoughtful, proactive approach to securing your perimeter can save you all sorts of headaches when attackers come calling. Even without those concerns, however, it's just good business to know everything your company has out there.
For more tips on scaling your security, be sure to download the white paper. In it, you'll find eight of the most common questions security-concerned organizations ask themselves, plus easy-to-understand solutions. Don't let the perimeter be your Achilles heel — lock it down now and you'll thank yourself later.
Photo Source: Wikimedia Commons