Vtech, TalkTalk, OPM, Premera … you’ve seen the headlines about all the destructive breaches in 2015. Want to avoid the same fate? The best way to reduce your risk of a breach is to implement an application security program.
Most organizations have sufficiently secured the network and hardware layers, but have yet to focus their attentions, or budgets, on the security of the application layer. The reasons vary – from misconceptions about the cost or complexity, to simply not knowing where to start – but the bottom line is that every organization, of every size, can dramatically reduce its risk of a breach by implementing an application security program. Here’s why operating without a mature application security program is risky business.
Risky business No. 1: You’re leaving critical assets exposed
Applications run our critical infrastructure and our businesses, and as such they are a primary target for those looking to infiltrate businesses, critical infrastructure, personal devices and federal systems. – Chris Wysopal, Veracode co-founder and CTO
With increased reliance on software to make business decisions and interact with business partners, the quality of an organization’s applications impacts its viability and affects how partners and customers perceive it. Faulty and insecure software puts your data and the data of your business partners at risk and can have repercussions well beyond any one incident.
The nature of the information apps protect means the stakes are high if you suffer an app layer breach. Examples abound, but two from 2015: VTech and TalkTalk suffered data breaches through the application layer. Thanks to these breaches, cybersecurity experts are now advising parents to boycott VTech’s toys, and TalkTalk has, thus far, shelled out £60m and lost 95,000 customers.
Leaving your customers’ confidential and sensitive information vulnerable to cyberattack is risky business. Firewalls and network security aren’t protecting your applications; you need an application security program that protects your entire application landscape – including those bought, built or assembled.
Risky business No. 2: You’re relying on after-the-fact patches to fix vulnerabilities
Like a rapidly growing city, we’ve built our applications quickly and without regard for the fact they exist in a hostile environment. – Chris Wysopal, Veracode co-founder and CTO
Cyberattackers know that the application layer is the final frontier. They know enterprises can’t keep up with their proliferation and are continuing to leave them insecure. That’s where they’ll be focusing their energies, and in turn, it’s where you should be focusing yours.
If you’re thinking you can rely on patches in lieu of an application security program, think again. In many cases, you’ll be breached before you even know you have a vulnerability. And if the vulnerability is announced, you most likely won’t have time to patch or update it before it’s exploited.
As a result, it is crucial for organizations to implement an application security program that bakes security into the SDLC, but also enables complete visibility into all of the components development teams are using, as well as the versions being used. Only then can security teams quickly patch and/or update the component version when a new vulnerability is disclosed. Otherwise, they run the risk of leaving a known vulnerability in their environment and creating a situation like what happened with one healthcare organization when Heartbleed was disclosed. Although the organization was aware of the OpenSSL vulnerability, it was not able to find and update all versions of the component before hackers were able to breach it through the Heartbleed vulnerability.
By proactively creating a comprehensive inventory of the components and the current versions in your environment, you will be able to quickly respond to the next vulnerability disclosure in an open source component. Otherwise, you are left trying to work faster than the criminals, and that’s not a race you are going to win.
Risky business No. 3: You’re leaving security in the hands of software vendors
65 percent of a typical enterprise application portfolio comes from third parties (source: Quocirca), yet 90 percent of third-party code does not comply with enterprise security standards such as the OWASP Top 10 (source: Veracode State of Software Security Report, Enterprise Testing of Software Supply Chain).
You’re living dangerously if you’re not thinking about the security of your third-party apps. Some of the most damaging recent breaches stemmed from vulnerabilities in third-party software. And it was the enterprises that suffered the monetary and brand damage, not the vendors. Even regulatory bodies such as the OCC and industry organizations such as FS-ISAC, OWASP and the PCI Security Standards Council are now placing increased focus on controls required to mitigate the risks introduced by third-party software.
In turn, enterprises should work to grow their application security programs to include policies that require third-party software to adhere to the same standards as internally developed software. Traditionally, vendor surveys and self-attestations were the extent of third-party security, but this is no longer sufficient. Engaging an outside application security specialist who can work with you and your third-party vendors to ensure application security is ideal. These specialist organizations understand the most pressing threats to applications and can help vendors and enterprises work together to make the process as seamless as possible.
Ultimately, with our increased reliance on applications as a business enabler, application security has gone from nice-to-have to critical. Find out more in our new guide,