Application security is hardly the hottest topic around most water coolers. That hasn't stopped several app security myths from developing and spiraling out of control. Before one more person tells you that basic antivirus software can prevent all types of malicious hacking, drop everything you're doing and read this list of the top six AppSec myths.
1. It's too expensive.
We've all heard this one before. Someone in the company knows that they should get nicer, more comprehensive security software tailored to the enterprise, but all that explosive growth means that funds have been poured into new hires and nap pods. Besides, Macs, like, never get hacked, right?
The reality is that growing enterprises need app security the most, as proliferating internal applications and bring your own device programs open up more vulnerabilities every day. Cloud-based security services don't require more staff, more space or anywhere close to the budget that the olden days of hermetically-sealed rooms full of secure servers did. In fact, it's never been cheaper to roll out a customizable, comprehensive app security program. It might just be the cheapest way to save your enterprise a million — or a billion — dollars. Just ask one of the countless major brands that suffered catastrophic data breaches in the last year.
2. Macs aren't vulnerable.
If you haven't said this, you've definitely heard it. In the endless Mac-versus-PC debate, many people tout Mac's immunity to viruses as one of its key advantages. This is untrue, and it also reduces the scope of thinking about security vulnerabilities to old-school, Trojan-style viruses that install annoying pop-ups and slow down your work on Windows 98. Nowadays, browser-based keyloggers, XSS and SQL injection can attack all devices with equal effectiveness. Instead of trying to hardware your way around vulnerabilities, seek a software solution that can handle today's office, which mixes desktops, laptops and mobile devices across multiple operating systems.
3. We have too many things to secure, anyway.
It's easy to look at the amount of in-house and third-party applications, desktop PCs, laptop Macs and every iteration of every smartphone and tablet imaginable and think that no single security solution could secure all of them. The newest generation of app security is up to the task, though — it can automatically take inventory to understand what applications and operating systems are present in your enterprise, then work backward to assess existing risk. Once you implement a security program, all new additions to your software and hardware landscape will be evaluated as they're developed. That includes code that's written in-house!
4. We only need to secure critical applications.
It's tempting to compartmentalize AppSec and only buy enough to protect transactions and sensitive data. And in an old, crude hacking landscape, that might have been enough. But with recent, high-profile hackings like the Target attack that entered through an HVAC service contractor's email account, or the J.P. Morgan breach that occurred in an external website used for its annual charity road race, it's impossible to ignore the facts: Hackers are fully capable of exploiting even the least essential parts of your network to gain access to what they really want. Application security is only effective if it can track and manage every facet of an enterprise's very tangled web of assets. That includes temporary access granted to service contractors and third-party websites that are hosted in the same servers as critical business functions.
5. We're too Agile for AppSec.
The rapid rise of Agile development methodology means many shops try to trim as many redundant processes out of their workflow as possible. With pressure mounting from all sides to release new software quickly than ever, developers press forward with limited security testing and other members of the organization believe that they're doing the right thing. But modern app security isn't a slow or cumbersome process — in fact, many programs are designed to integrate into Agile processes. The best security software tests code in real time to prevent technical debt and gaps between penetration testing old code while huddles are sprinting ahead with new, untested code that buries the past vulnerabilities.
6. We buy all of our software from trusted organizations, so we're safe.
No software is safe from persistent attacks coming from hackers across the globe. In fact, the more used any given application is, the bigger a target it becomes for professional hackers. Many businesses choose to be trusting and assume that just because they buy software and don't build any of their own they can proceed without testing the apps they implement or monitoring their software inventory. Even the most trusted names are subject to vulnerabilities, especially when businesses mix and match multiple iterations of applications across devices and operating systems.
As you can see, there are a lot of myths about app security out there. Instead of buying into the madness and believing that you're safe, take a proactive stance and find out how easy it is to go from depending on fallacies to running a truly secure, compliant enterprise — regardless of your industry.