IBM and the Ponemon Institute this week released a new study showing that cyber security is finally receiving attention from the C-Suite, but application security remains a weak point in many organizations in terms of budgets, priority and strategy.
The new study, How to Make Application Security a Strategically Managed Discipline, available here, reports that 35 percent of organizations do not perform any major application security testing for application vulnerabilities. Moreover, almost half (48 percent) of respondents said their organization does not take any steps to remediate the risks associated with vulnerable applications.
“How can organizations protect their applications when they don’t even engage in basic security measures such as dynamic application security testing (DAST), static application security testing (SAST) and interactive application security testing (IAST),” said Neil Jones, market segment manager for application security at IBM, in a blog post about the report.
More than two-thirds of respondents (67 percent) said their IT function does not have visibility into the overall state of application security and most (65 percent) say their application security practices are fragmented and carried out at a low level. Additionally, only 25 percent said their organizations’ ability to protect applications from a security exploit or compromise is highly effective. Prevention of attacks on applications also is a low priority, according to the survey results. Only 23 percent of respondents said prevention is among their top three application security risk management objectives. Further, only 21 percent said that attack prevention helps to preserve brand image and organizational reputation, even though an organization’s good name is often put at risk when its applications are vulnerable to attacks.
One factor leading to a lack of app security from the outset is that developers are pressured by a “rush to release,” Diana Kelley, executive security advisor at IBM Security, told week. Fifty-six percent of survey respondents said their organizations are influenced by pressure to release new apps quickly.
“What was unexpected is that we are still seeing such high numbers,” Kelley said. “Forty-eight percent of organizations not taking steps to remediate the risks and 56 percent saying they are still being affected by the pressure to get applications out in a hurry was a bit unexpected. Timing is all the more important in the post-DevOps, mobile app world. So time is a pressure to be expected, but that is not something that we say we live with all the time without having security built in to that time pressure lifecycle. So that is a bit of a surprise.”
Nevertheless, the pressure is on to deliver. Think about how much code gets pushed and the sheer number of apps and services that exist in organizations today, Kelley noted the issue been compounded by the fact that there is now a requirement to have mobile apps for everything and to support a variety of different sets of platforms. There‘s just the increase in the sheer volume of applications that are being deployed right now, she said.
IBM, Ponemon Say App Security Still Lags in the Enterprise
Compounding the issue of the sheer volume of applications being deployed is that 69 percent of respondents said their organization doesn’t even know all of the applications that are currently active within their company—perhaps the most alarming statistic to emerge from the study.
Kelley, a 25-plus year IT industry veteran, said she started out as a network and firewall security expert, and also was a system administrator.
“About 10 years into my career I realized that no matter what I did at the network level, the bad guys were getting through because of what was happening at layer 7 and all the crazy applications I was putting on my network,” she said. Layer 7, the Application Layer of the Open Systems Interconnection (OSI) communication model, provides common services used by applications to establish communication with each other, as well as specific services.
Today, there are all kinds of apps being introduced to enterprise networks that IT departments have to confront, including applications and services introduced by shadow IT elements, Kelley said.
“When I was an admin I had a pretty small network and we had static IPs assigned to everybody,” she said. “And even then I would see activity on my firewall log or on my network monitor that would indicate that people were going to applications and services outside the network that I didn’t expect them to, and also that things were running on my network that I didn’t have control over. But it was a much smaller problem. What we’re dealing with now is exponentially larger, especially when you start adding in different kinds of platforms–not just a desktop, but we’ve got mobile devices, Internet of Things and the cloud.”
The study also indicated that visibility and allocation of resources to deal with the most likely data breaches are considered critical control activities. Thus, one of the first steps that need to be taken is to get an assessment of what apps are on an organization’s network.
“One thing we wanted to get across is that people should really get an inventory,” Kelley said. “You need to get a handle on what applications you have, what applications you’re building, and if there’s an option to do some optimizations or keep it simple, make sure you need all those applications. Do you have multiple apps running that perform similar roles? You need to get better awareness of what you’ve got and what you’re using. Number one: get a handle on what you have.”
According to Jones, after getting a full picture of what their application environment looks like, organizations should unify their security practices, staff up and tool themselves to deal with security issues, and then get a handle on the security vulnerabilities that exist in their organization.