We live in a software-driven world – it’s how organizations in every industry interact with customers, prospects and partners. But information security has not kept pace with this shift, and traditional defenses are proving inadequate in this environment. As users and applications become the risk focal point, there is no hard and fast perimeter security professionals can put a wall around. Consequently, application layers remain insufficiently secured. In fact, web application attacks are now the most frequent pattern in confirmed breaches (2016 Verizon Data Breach Investigations Report), yet application security spending remains only a small fraction of overall security spending.
A variety of misconceptions have led to the lag in AppSec adoption, but the reality is: application security should be a part of your overall security program. The following are the top four reasons why:
Reason #1: You’re a software company, whether you know it or not. Applications are now tied to your business success. Every company uses applications to make business decisions, and to interact with business partners. Even GE now considers itself a software company. With this increased reliance on software, application quality now impacts your bottom line, and insecure software means an insecure business.
Reason #2: Most apps are hackable. Veracode’s State of Software Security Report (vol 6) revealed that about 70 percent of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
Reason #3: Apps are the top attack vector. According to Akamai’s Q3 2015 State of the Internet Security Report, attacks at the application layer are growing by more than 25 percent annually.
Why are apps such a popular target? Because hackers know we’re sloppy about securing them. Ponemon Institute recently found that79 percent of developers either have no process or an ineffective ad hoc process for building security into applications.
Enterprises have spent billions securing the network, perimeter and hardware at their organizations, but have yet to invest sufficiently in securing their applications. At the same time, these enterprises are building, buying and downloading applications at a breakneck pace and in record numbers. Using third-party software or open source components to speed development cycles is now the norm – but it also introduces a whole new layer of risk. Our analysis of more than 5,300 enterprise applications uploaded to our platform over a two-month period found that components introduce an average of 24 known vulnerabilities into each application.
In addition, our research found that 90 percent of third-party code does not comply with enterprise security standards such as the OWASP Top 10.
Reason #4: If you get breached, you will pay. The Verizon 2015 Data Breach Investigations Report found that data breaches cost business around the world $400 million. Don’t underestimate the cost of a breach – you’ll feel it in:
- Lost revenue: This might result from stolen corporate data, lowered sales volumes (if consumers get scared) or falling stock prices.
- Money spent on investigation and cleanup: A recent joint Veracode/Centre for Economics and Business Research (Cebr) report found that cyberattacks cost UK firms £34 billion in revenue losses and subsequent increased IT spending.
- Cost of downtime: A recent Information Age article estimated that every hour of downtime costs businesses $100,000.
- Brand damage: The long-term reputation damage associated with security breaches can be substantial and lead to intangible costs or loss of business.
Want more details on why application security should be a part of your overall security program? Check out this recent Veracode/SANS report:Why You Need an Application Security Program.