In today's business landscape, the importance of application security has emerged as a leading factor impacting a company's brand perception and even its bottom line. Yet somehow, despite the exponential growth of digitilization, security protocol rarely acknowledges just how much critical information is in the cloud or other software environments.
In a recent whitepaper, entitled "Why Application Security Is a Business Imperative," IDG and Veracode highlight five of the reasons why AppSec is essential to the enterprise security landscape:
Last year, corporate mergers were at a seven-year high — a sign of enterprise cooperation and a desire to beat out the competition. But amid the excitement, one critical detail is often overlooked. According to the whitepaper, the typical $500 million (or higher) corporation has developed nearly 3,100 applications, which represents 40 percent of its total application portfolio. Merge two or more such enterprises together, and the odds are high that hundreds of apps will slip through the inventory and AppSec cracks. It's difficult to secure vulnerabilities you can't find, which is why holistic application security should always involve inventory.
It's a sad story that gets told far too often: some minor application used for a seemingly inconsequential task leads to a massive security breach. Even premerger corporations regularly employ thousands of applications to conduct business. If even one of them is left vulnerable, ad hoc security testing may overlook it. With application security, it's an all-or-nothing question. And with many applications in use (and even more hackers looking to hit the jackpot) the odds are never in your favor. Unless application security is an enterprise priority, neglect will likely lead to vulnerabilities.
Executives might understand the importance of holistic AppSec but find it hard to justify the cost. With organizations spending an average of $1.65 million to cover just 37 percent of their applications, the cost to become fully covered could well triple. Still, with 24 percent of all security breaches costing businesses over $100,000 and 7 percent costing in excess of $10 million, the value proposition is convincing. And if stubborn businesses are willing to flirt with the risk-reward factor of cutting costs on application security, then it's worth considering that those are strictly direct-impact measurements; the long-term reputation damage associated with critical security breaches can often balloon and lead to intangible costs or loss of business.
Every day that a business is anything less than fully secure is a day that it's exposed to potential hackers. It's also another day that developers continue building internal applications without factoring security into their lifecycle. Until company culture embraces an approach to secure development, CISOs cannot assume their in-house applications are covered. Developers are under pressure to meet deadlines, and if corporate security expectations are vague or lax, skipping critical testing is an easy way to save development time.
Customers love apps — and businesses continue to oblige. Internally developed applications are expected to increase by 12 percent over the next 12 months. The culture they're developed in can be the difference between a success story and a disaster. Safe development practices should be as integral to application expectations as quality user interfaces and potential ROI. The reality is that businesses are building more apps at unprecedented rates; if those apps are not secure, then they're just new doors for hackers to enter.
Recognizing the importance of application security is the first step to mitigating unnecessary risks. The new paradigm of in-house app development and rampant cybercrime means neglecting applications is as counterintuitive as leaving the office doors unlocked at night.
Veracode and IDG's white paper aggregates dozens of industry reports and highlights critical trends in operating safe enterprises and the need for secure business best practices. Download the paper in its entirety to learn more, and be sure to check out this and other resources available in Veracode's extensive CISO tool kit.
Photo Source: Flickr