According to a CERT 2015 advisory of the top 30 vulnerabilities, nearly all are application vulnerabilities. But that's not why application security is the most important part of the security ecosystem.
According to Business Insider, there are approximately 1.8 billion mobile web users and 1.6 desktop web users. Mobile apps are dominating how people access the Internet; of desktop users, the web browser is the primary Internet access point. So yes, that's a whole lot of apps in use. But that still doesn't make application security more important than other types of security.
According to Bloomberg, as of mid-2015 about 7% of all shopping was being done online. Considering how many people are hawking goods on the streets and in stores large and small in each city, 7% is huge. And Manta showed that in 2012, 90% of small businesses marketed online with sales or intentions to sell online.
The thing is that it's not about how vulnerable apps are in general, the increased risk from how many apps are in use, or how many interactions apps have in the online world that makes application security so important. It's about the attack surface they create. It's huge.
When you have more places where interactions can take place, and that includes unintentional places like vulnerabilities, you increase your attack surface. As detailed in the OSSTMM, the larger your attack surface, the greater your risk. The unfortunate thing about the attack surface is that the rest of your environment inherits it from the moment you place anything there. So if your attack surface was relatively small and you add one tiny app, you’ve expanded your attack surface with many uncontrolled interactive areas. You suddenly have a large attack surface in your environment.
The problem is that it's not so easy to just reduce your attack surface. And the fault for that lies in the rest of your security ecosystem.
You see, your other security is the variety of security devices, software, and techniques that combines to form the protective layer of your organization. That other security is your security ecosystem. It is delicate thing and needs to be in perfect balance with your resources to function properly. Balance is important because of the Attack Surface Paradox which shows that more security to reduce the attack surface adds more interactions which at some point tips the balance from protection by making more interactions and creates a bigger attack surface. This disrupts the entire security ecosystem.
Furthermore, you also need to balance the security with the infrastructure and operations of your organization or else you will have gaps in security. Depending on the complexities of the interactions and the size of the exposure to other inter-operating systems, the gaps could be nothing or they could be critical.
Applications are generally complex so that they can handle many types of human interaction from the keyboard and on the network. They also interoperate with services on the system and often with other systems, like how web applications interact with all the other systems on the Internet. That makes applications the likely cause of critical gaps.
Therefore the introduction of applications requires the introduction of application security to the security ecosystem, which isn't exactly like a friendly meeting. But application security requires special configuration to match the application type it's protecting. It often fights with other security measures like antivirus and server-side encryption like SSL for resources like RAM and CPU cycles. Even worse, when not properly applied it will fight for resources with the servers and applications they are designed to protect. Application security inserted without proper balance will often be a burden on the server and affect the application it's protecting.
Furthermore, traditional, lower level security won't protect well against the higher level attacks on applications. Applications are designed to interact with users which means they interact at a high level. Compare that to network transport communications which is at a lower level. Securing the company at the network level, controlling the packets going in and out at the firewall, will not influence the interactions at the higher level where the system interacts with the applications which in turn interacts with the user. That allows an attacker to target the person using the application with phishing attacks over an email application or a watering hole attack over a web browser without the firewall able to offer much protection.
This means that applications not only bring a larger attack surface into an organization but also will require a specific type of controls possible only by application security. Then if not properly applied it will disrupt the security ecosystem you already have in place. It's easy to get it wrong and getting wrong affects the entire organization's attack surface. Which is why AppSec requires great care and consideration as it truly is the most important part of your security ecosystem.