Digital transformation, the urgencies of the pandemic and the broader emergence of software- defined enterprises mean that organizations now rely on applications more than ever to keep their businesses running. However, many times these mission-critical applications are not sufficiently protected and are often accessed by remote users on untrusted networks – exposing them to a range of risks and threats.
Recently, Fortinet and CyberSecurity Insiders conducted an international survey of cybersecurity professionals to help understand the challenges those professionals face as their organizations increase both the number of applications deployed and the pace at which these applications change.
The survey found that 48% of respondents were using more than 100 unique applications in their environment; 26% reported using more than 500 unique applications. This proliferation of applications added greater complexity and exacerbated existing application security challenges.
Data Point No. 1: Cybersecurity and cloud security skills gaps remain a worrisome reality.
Many survey participants believe that they don’t have the skilled staff to keep pace with the ever-evolving threat landscape. In fact, 46% of survey respondents said lack of skilled personnel tops the list of barriers that organizations are facing when securing their web applications.
Data Point No. 2: Breaches happen often, and customers don’t catch all of them.
Forty-three percent of organizations admitted to experiencing application breaches or compromises.
However, 35% of respondents acknowledged that they did not know when the last breach occurred. As Fortinet’s FortiGuard Labs’ 2021 mid-year Global Threat Landscape Report indicates, the volume of ransomware attacks in the past year has increased ten-fold. Notably, prominent web application technologies such as Drupal, vBulletin and PHP consistently show up in the top 10 list of technologies being targeted by threat actors.
Data Point No. 3: The rate of CI/CD makes security harder.
On average, organizations publish 25 software updates into production every month. That means consistent and frequent threat and vulnerability testing is critical. Yet only 21% of respondents confirmed that they test every time the code changes.
Data Point No. 4: Organizations don’t feel confident about their security.
A little less than half of surveyed organizations said they’re very or extremely confident about their application security. With an average of 25 application updates every month, multiplied across hundreds of applications, the operating environment is shifting far faster than the ability of security teams to keep pace.
Data Point No. 5: Organizations shouldn’t bolt on security.
Security should be a concern across the software development life cycle and for every part of the organization. This means applying application vulnerability management throughout the development cycle to proactively detect and mitigate issues before release.
Use automated testing tools as much as possible so that software is being analyzed for vulnerabilities as its being developed. Security should be an integral part of the entire application life cycle – from development to end-of-life.
This requires both an organizational and a cultural shift towards embracing security across development, IT and security teams.
Data Point No. 6: The need to patch and implement a rigorous vulnerability management is real.
Vulnerability management and basic cybersecurity hygiene is foundational and yet, it’s one of the hardest things to get done consistently and at scale. It requires a continuous commitment to scanning, patching, and testing to ensure effectiveness – better that you find a vulnerability than an attacker.
Lack of visibility, unintended consequences of patching and custom software all make it challenging for even the largest organizations, but the time and effort invested are well worth it.
Data Point No. 7: Web applications are the target, so protect them with a WAF.
Almost 80% of all attacks now target web applications according to the 2021 Verizon Data Breach Investigations report. So, protect them with Web Application Firewalls (WAF), which are designed to detect and block malicious traffic from reaching your web applications.
Acting as a proxy for the application server, a WAF can also block the illegitimate exfiltration of data. As with all security tools, invest in time to properly configure and maintain your WAFs.
Data Point No. 8: Implement Zero Trust and MFA to restrict access.
Almost every data breach involves the compromise or abuse of privileges to gain access to key applications. Therefore, strive to limit access to key applications to only those users who absolutely need them to perform their jobs. Implementing Zero Trust, Multi-Factor Authentication and Privileged Access Management strategies are proven ways to protect critical network resources and help ensure that only legitimate access is granted.
Secure those apps
Application security is an essential element of every organization’s security strategy. It should be approached with a holistic perspective that links application security from development through production to end-of-life, combining teams and tools to mitigate threats while ensuring performance.
Security fabrics provide a broad set of integrated technologies and automation to provide better visibility and control across the LAN, WAN, data center and cloud edges to secure those critical applications.
About the Author:
Jonathan Nguyen-Duy is VP, Global Field CISO at Fortinet