Editor’s Note: This post is the second in a multi-part series on Application Security, or “AppSec” prepared by our friends over at application testing firm Veracode. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk. Taken together, they are a primer on AppSec best practices that will help organizations build the business case for further investment in this critical IT security discipline.
In our first post in this series, we defined what Application Security (or “AppSec”) is in practice, and the kinds of software vulnerabilities it prevents. Now let’s examine why it’s an important and necessary component of any comprehensive IT security effort.
At this point, IT security professionals are well aware of the kinds of external threats targeting their organizations. Data breaches from cyber attackers are the single biggest threat to enterprise security today. The quantity and frequency of hacks, attacks and malware are only growing – and well-documented. To mitigate this threat, organizations must secure all three fundamental access points to their digital data: the network; the hardware… and the _software _that support their business operations.
Existing security measures create a false sense of security. Most enterprises have widely adopted IT security tools such as firewalls and intrusion detection to protect their networks as well as antivirus, access control and physical security measures to secure their hardware. However, what many businesses still lack is adequate investment in the protection their critical software. Simply put, software applications are the most vulnerable entry point for attacks targeting your organization’s sensitive, protected or confidential data. If your network and hardware infrastructure can be called the “back door” to hacktivists, spies and fraudsters out to steal from you, then your business software is the front door. Very few people leave their front doors unlocked these days.
Professional hackers and cyber criminals know to exploit on the weakest link in an organization’s IT infrastructure – vulnerabilities in applications – to get to valuable data. Consider these sobering statistics:
Alarmed by the potential for widespread social and commercial damage, government and industry regulatory bodies have been strengthening mandates in the area of Application Security. Many organizations are now required to address the risk posed by their applications, perform scheduled risk assessments and compliance audits, and then demonstrate compliance. Some of the many regulations which specifically require data privacy and security include:
Software is everywhere. It is increasingly accessible to attack, and the opportunities to exploit its weaknesses are plentiful and painless for those intent on doing so. Applications are the new entry point to steal your critical business data. What’s more, the resulting attacks have proven profitable for cyber criminals. Network- and hardware-based security have both proven ineffective against many of today’s threats. It’s time for increased investment in Application Security to protect the software that runs your business.
In our next post in this AppSec 101 series, we’ll explore what constitutes an AppSec “Center of Excellence”, but also show how easy it is for organizations of any size to get started.