Organisations not doing enough to strengthen application security
11 May 2018
In August last year, security firm Fortinet had described in its 2017 Global Threat Landscape Report that it had identified as many as 184 billion exploits, 62 million malware attacks, and 2.9 billion botnet communications.
In its report, the firm noted that a large number of organisations used peer-to-peer (P2P) applications and also allowed a lot of proxy applications, thereby endangering the security of their networks. It also observed that organisations using P2P applications reported seven times as many botnets and malware compared to those who didn’t; and organisations allowing proxy applications reported almost nine times as many botnets and malware compared to those who didn’t.
A year on, the security of applications used by enterprises either to store or process customer data or to carry out operations hasn’t changed much. A new report from Ponemon Institute has revealed that 64 percent of IT security professionals from the United States, European Union and Asia-Pacific are either concerned or very concerned that they will be hacked through an application and over half of them feel that the severity of threats will increase this year.
Poor visibility over enterprise applications
An enterprise application can only be secured if a firm knows that it either contains flaws or is exposed to external risks. According to the Ponemon survey, 51% of IT security professionals said that their applications could have been breached but there is no way to confirm the same as they do not have visibility for their “apps in the wild”. Only one in four of those surveyed admitted that their organisations had indeed suffered a breach due to a compromised application.
If an unsecured enterprise application is hacked into or taken over by a cyber criminal, the resulting effects could be far-reaching. A majority of security professionals interviewd by Ponemon said that compromised applications either resulted in decreased productivity, loss of revenue, or loss of customers.
At the same time, a compromised application could also result in loss of reputation, loss of competitive advantage, regulatory fines or lawsuits, failure of an audit, or security professionals losing their jobs for not being able to prevent a breach.
“Nowadays, applications are everywhere and usually the applications handle the most critical business data, including financial information, PII and health records. Regulations, such as impending GDPR, endeavour to fix the problem, but many reports say that the overwhelming majority of companies are still not prepared yet and will unlikely be compliant in 2018,” says Ilia Kolochenko, CEO of web security company High-Tech Bridge.
The conflict between IT & non-IT staff
It is a well-known fact that non-IT staff at organisations are not as much aware of cyber risks and potential threats as dedicated cyber security staff. As such, it is natural that disputes may arise at certain stages on the importance of security vis-a-vis performance, both of which are essential for organisations.
While 48% of non-IT management teams place a premium on performance over security, 35% of them believe performance and security should go hand-in-hand and only 16% of them believe security is more important than performance.
On the other hand, 24% of IT management teams prefer security over performance, 56% want security and performance to go hand-in-hand, and 20% want security to gain preference over performance.
Organisations’ approach to application security
Even though organisations’ approach towards application security has been found wanting, a number of them are taking steps to ensure their IT staff have a level of visibility over such applications and to ensure that they are free of vulnerabilities.
For instance, 61% of security professionals told Ponemon that their organisations were educating developers on safe coding, 59% said they were carrying out penetration testing, 53% said they were carrying out data masking and redaction of live data, 50% were implementing data and key encryption, 47% said they had installed web application firewalls, and 46% said they were carrying out dynamic application security testing.
At the same time, 49% of respondents also told the surveyors that they would update their application protection hourly or daily if they had visibility into specific types of attacks against their apps. As many as 77% of them said that they would make such changes weekly.
“One of the biggest application security problems is lack of a coherent and risk-based application security strategy. Many large companies don’t even have an up2date list of their external applications and micro services, let alone the foggiest realm of internal legacy and shadow apps,” Kolochenko added.
“They desultory spend on different solutions and services from various vendors, alternately blaming vulnerability scanners, pentesters and bug bounties. The first step of any application security strategy should start with a comprehensive and actionable inventory of corporate applications. Otherwise, no application security technology will ever help – you cannot protect what you don’t know.”