Here’s a statistic that gives the term “attack surface” some real-world parameters: there are about 4.5 million applications living within enterprises that are insecure and haven’t been vetted for flaws and vulnerabilities.
That’s the word from a new survey conducted by IDG, which reveals that there is a growing gap in application security programs at enterprises in the US and UK.
Specifically, the data shows that in 2015, enterprises will leave up to 70% of internally developed applications unaudited for common threats such as SQL injection. This means a ballooning set of attack vectors into Global 2000 firms, totaling the aforementioned estimated 4.5 million web and mobile applications, based on the average number of applications produced by enterprises.
Recent large-scale breaches at retail organizations like Home Depot have demonstrated that cyber-criminals are using a variety of techniques to penetrate enterprises. But because enterprises have effectively locked down their networks, this leaves web and mobile applications as the path of least resistance.
“In order to close this gap, enterprises need a new and more scalable approach to application security that allows organizations to mature their programs with consistent enterprise-wide policies and metrics,” said Pejman Pourmousa, director of security program management at study sponsor Veracode, in a statement. “Using an automated cloud-based service makes it possible for enterprises to keep pace with the speed of innovation without sacrificing security.”
As enterprises continue to produce more applications in order to drive their businesses, their inability to scale current application security programs means only business-critical applications are audited for security. This leaves a significant number of web and mobile applications vulnerable, creating long-term security threats as cyber-criminals attack this weak link to gain access into the IT infrastructure. And, it doesn’t matter whether the application is business-critical or a little-used web site—a chink in the armor is a chink in the armor.
Indeed, a quarter of all cyber-attacks in the UK last year were aimed at the web application layer, with technology companies most at risk.