We live in a software-driven world – it’s how organizations in every industry interact with customers, prospects and partners. But information security has not kept pace with this shift, and traditional defenses are proving inadequate in this environment. As users and applications become the risk focal point, there is no hard and fast perimeter security professionals can put a wall around. Consequently, application layers remain insufficiently secured. In fact, web application attacks are now the most frequent pattern in confirmed breaches (2016 Verizon Data Breach Investigations Report), yet application security spending remains only a small fraction of overall security spending.
A variety of misconceptions have led to the lag in AppSec adoption, but the reality is: application security should be a part of your overall security program. The following are the top four reasons why:
Reason #1: You’re a software company, whether you know it or not. Applications are now tied to your business success. Every company uses applications to make business decisions, and to interact with business partners. Even GE now considers itself a software company. With this increased reliance on software, application quality now impacts your bottom line, and insecure software means an insecure business.
Reason #2: Most apps are hackable. Veracode’s State of Software Security Report (vol 6) revealed that about 70 percent of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
Reason #3: Apps are the top attack vector. According to Akamai’s Q3 2015 State of the Internet Security Report, attacks at the application layer are growing by more than 25 percent annually.
Why are apps such a popular target? Because hackers know we’re sloppy about securing them. Ponemon Institute recently found that 79 percent of developers either have no process or an ineffective ad hoc process for building security into applications.
Enterprises have spent billions securing the network, perimeter and hardware at their organizations, but have yet to invest sufficiently in securing their applications. At the same time, these enterprises are building, buying and downloading applications at a breakneck pace and in record numbers. Using third-party software or open source components to speed development cycles is now the norm – but it also introduces a whole new layer of risk. Our analysis of more than 5,300 enterprise applications uploaded to our platform over a two-month period found that components introduce an average of 24 known vulnerabilities into each application.
In addition, our research found that 90 percent of third-party code does not comply with enterprise security standards such as the OWASP Top 10.
Reason #4: If you get breached, you will pay. The Verizon 2015 Data Breach Investigations Report found that data breaches cost business around the world $400 million. Don’t underestimate the cost of a breach – you’ll feel it in:
Want more details on why application security should be a part of your overall security program? Check out this recent Veracode/SANS report: Why You Need an Application Security Program.