Now more than ever, a business’s application ecosystem must be protected, especially when the average total cost of a data breach averages in at $3.62m. In order to help mitigate these sophisticated, frequent threats, a holistic approach is needed to security – where IT teams must not only manage application vulnerabilities, but all software exposure.
Application security is a niche term, and in my opinion, it should be replaced with the broader term software security. Software is the backbone to organizations’ digital transformation, and as the business evolves, it’s time for software security processes to evolve as well.
Mobile, the cloud, the Internet of Things, microservices, and artificial intelligence have all made software more complex. Yet, priority is placed on speed over security time and time again, without considering the DevOps process. Historically, traditional security approaches have slowed the speed of development by acting as deliberate benchmarks that developers must "check off" in order to resume coding activities. This gives security practices a bad reputation within an organization, but most importantly, it creates a false impression that developers are the source of the issue.
In turn, this creates a divided workforce that ultimately makes an enterprise vulnerable to software exposure. Careless oversights and avoidable mistakes are made throughout all stages of the software development life cycle (SDLC). Addressing complex software development and related vulnerabilities requires a shift away from a siloed security approach to one that encompasses software as a whole and integrates it from the start of the software development life cycle.
Today, the complexity of software perpetuates the security problems we're facing. Countless organizations have learned the hard way that vulnerabilities within an application often signal greater software exposure because, at the end of the day, an attack or hack implicates both. Just this month, Equifax became the first company to have its outlook downgraded for a cyber-attack. And while it has been nearly two years since the Equifax mega breach, it's a stark reminder that we need to understand what's in a software stack. In the case of Equifax, an exploited vulnerability in the popular open source web software Apache Struts led to the compromise of almost 150 million people's personal information. There's much work to be done to improve the state of software security.
There's much work to be done to improve the state of software security. These four priorities are a good place to start:
- Organizations need to move beyond the barriers and limitations of traditional gated security approaches and move to a new era of full visibility and control over their software exposure at any stage of the development life cycle
- Proper and consistent training should be funded and provided across entire organizations
- Remediation efforts need to be made into actionable insights that address vulnerabilities within the entire SDLC
- Everyone that touches software and participates in the security of it needs to be forward thinking, forgetting the typical nuances of the past
The reality is, cyber-attacks are only going to grow in frequency and sophistication. Simultaneously, software itself is becoming more complex. Organizations can no longer remain unprepared for and caught off-guard by compromised data and other cyber-incident damage. Application security must be re-envisioned to support software security – or organizations risk falling behind.