In a previous blog post, we explored how software is “eating the world,” and how applications have gone from a nice-to-have to a critical part of running a business. As enterprises are forced to develop and buy more and more software – and at a lightning pace in order to keep up with the competition – what are the security implications? Cyberattackers are increasingly targeting the application layer to breach organizations and gain access to sensitive, confidential — and lucrative – data. At the same time, organizations can’t stop using software, or develop it more slowly. What does this mean for security?
Security Implications of the Increase in Number of Apps
The proliferating number of applications, combined with the decentralized way applications are now developed and purchased, mean it’s increasingly difficult to get a handle on your application landscape. For example, digital marketing has become one of the most important ways that companies interact with their target market and customers. Marketing departments are often spinning up new web pages and incorporating new technologies, and not communicating with IT security.
Bottom line: It’s hard to secure what you don’t know about. The nature of this new application landscape means visibility comes before security. When we work with customers on this problem, we typically find that they have 30 percent to 40 percent more websites than they originally report having. The solution? Look for application security solutions that can accurately inventory your entire web perimeter.
Security Implications of the Need for Speed
You don’t just need to develop apps to keep up with the competition in today’s digital world – you need to develop them fast. This emphasis on speed means that developing apps from scratch is nearly impossible, and developers are increasingly relying on third-party applications and components to meet deadlines. A recent IDG study found that among enterprise applications, 28 percent are typically developed externally, 34 percent are procured from software vendors and 38 percent are developed internally (source: IDG Study, “Majority of Internally Developed Apps not Assessed for Critical Security Vulnerabilities,” June 2014).
The problem is that it’s hard to keep track of these third-party additions and their security status. But you can keep up with the competition without sacrificing security. Consider application security solutions that:
- Inventory and report on the security of open-source components
- Help you assess applications sourced from independent software suppliers with a program for managing third-party software risk
Security Implications of Apps Connecting to Your Most Sensitive Data
As applications increasingly play a pivotal role in interacting with customers, prospects and partners and making business decisions, they are also increasingly standing in front of your most critical data. Gartner describes applications and application security with the analogy of a crown jewel in a treasure chest: the sensitive information is the crown jewel, and the applications are the treasure chest.
And when apps are the treasure chest:
- Cyberattackers take notice: The bad guys know that your network layer is most likely secure, that your app layer is not, and that your apps are the key to some highly valuable data.
- Regulators take notice: Numerous regulations now require controls regarding application security, including PCI, NIST, HIPAA and MAS.
- Customers take notice: Your customers will increasingly ask questions about your application security practices. Expect to not only be asked about security, but to provide proof of your efforts.
The security implication here? Neglecting application security is risky business – you risk losing customers, paying regulatory fines and suffering a damaging breach. There’s a lot riding on your app layer, and application security needs to be a part of your security mix.
A New Digital Landscape Requires a Security Pivot
Security “business as usual” won’t cut it in this new digital world. You need to pivot your strategy to focus where the risk is – and that is increasingly at the app layer. Get details on creating and managing an application security program -- from someone who's been there. Check out our guide, From Ad Hoc to Advanced Application Security: Your Path to a Mature AppSec Program.