The majority of strategic business processes are supported by software applications, so why does application security continue to receive less budget and attention than network security?
High profile data breaches have ensured that everyone is now aware of the repercussions of a cyber-attack. Businesses realize hackers are attacking applications and according to the SANS Institute’s “2015 State of Application Security” survey, the majority of security leaders feel the effectiveness of their application security programmes needs to be improved in order to lower the risk of a successful attack.
But how can this be done without falling at the first hurdle? To help you, below are the six most common application security challenges an organization can face:
1 – Inconsistent demand
Testing demands are not always consistent as most companies no longer follow fixed-release schedules. If you operate in an agile development environment, you could be facing almost continual feature releases as your organization works to stay competitive and meet customer requirements.
2 – Inherited vulnerabilities
When developers reuse old code, they may inherit its ‘technical debt’ which can include security bugs and flaws you don’t know about. With hackers looking for the easiest way into an organization, they will continue to attack vulnerabilities in code. Unfortunately, if you have limited resources, you may not have the time or tools to identify all the potential paths a hacker may take.
3 – Need for a quick response
With businesses and technology evolving, is your security team prepared to respond quickly as and when new threats come to light that must be investigated and addressed? Or if you enter new markets with different regulatory and compliance requirements? If demand spikes without the necessary application security resources available, you may find yourself scrambling to test and clean code or, worse, deploying patches to released software.
4 – There is no master tool…
Over the past few years, automated testing tools have become much more sophisticated. However, each security testing tool has different strengths and by only implementing one or two, it’s easy to miss critical issues that could increase your risk of attack. Similarly, if you don’t have the capacity to replicate and confirm findings, you may spend hours chasing false positives.
5 – And tools alone are not enough
Standard automated scanning is not a sufficient method for protecting applications, managing business critical functions or accessing sensitive data. Application security changes constantly with new threats, emerging attacks and evolving compliance regulations. You need someone with the expertise for in-depth manual testing and result interpretation to keep your testing and prevention strategies current.
6 – Available security experts are few and far between
There are few internal security experts looking for new roles, with 1 million unfilled IT security jobs worldwide according to Cisco’s 2014 Annual Security Report. Even if you’re successful in filling the role, the areas of expertise this new employee needs will span multiple domains as software security programmes evolve – authentication, data protection, encryption, testing, design flaws, bugs and client side applications to name a few.
That’s a lot to ask of any single expert and organizations will also need to invest in further training to ensure their new expert is up-to-speed. This could leave a significant gap in your team, if they are then lured away to another company.
Overcoming the challenges
When security becomes a problem, it can lead to a crisis. Getting ahead of the bad guys with a proactive security approach allows you to reclaim your staff and reinvest your time. If you wait until it’s too late, all attention will be focused on remediation efforts and damage control.
Static and dynamic testing can help assess specific risks; developers should check for insecure code directly in their workflows and there are many security training courses geared towards helping developers improve their secure coding knowledge. With the right tools and resources, it is possible to design secure architectures and create secure code that doesn’t impact the user experience or slow down development.