Editor’s Note: This post is the second in a multi-part series on Application Security, or “AppSec” prepared by our friends over at application testing firm Veracode. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk. Taken together, they are a primer on AppSec best practices that will help organizations build the business case for further investment in this critical IT security discipline.
In our first post in this series, we defined what Application Security (or “AppSec”) is in practice, and the kinds of software vulnerabilities it prevents. Now let’s examine why it’s an important and necessary component of any comprehensive IT security effort.
At this point, IT security professionals are well aware of the kinds of external threats targeting their organizations. Data breaches from cyber attackers are the single biggest threat to enterprise security today. The quantity and frequency of hacks, attacks and malware are only growing – and well-documented. To mitigate this threat, organizations must secure all three fundamental access points to their digital data: the network; the hardware… and the software that support their business operations.
Existing security measures create a false sense of security. Most enterprises have widely adopted IT security tools such as firewalls and intrusion detection to protect their networks as well as antivirus, access control and physical security measures to secure their hardware. However, what many businesses still lack is adequate investment in the protection their critical software. Simply put, software applications are the most vulnerable entry point for attacks targeting your organization’s sensitive, protected or confidential data. If your network and hardware infrastructure can be called the “back door” to hacktivists, spies and fraudsters out to steal from you, then your business software is the front door. Very few people leave their front doors unlocked these days.
Professional hackers and cyber criminals know to exploit on the weakest link in an organization’s IT infrastructure – vulnerabilities in applications – to get to valuable data. Consider these sobering statistics:
- 90% of companies have been breached at least once by hackers over the past 12 months (source: Juniper Networks)
- 855 data breaches in 2011 lost 174 million records, the second highest volume of data stolen since 2004 (source: Verizon)
- 54% of attacks on large organizations exploit web application vulnerabilities, while hacking was responsible for 81% of compromised records (source: Verizon)
- For all organizations that reported the source of breach incidents in 2011, 40% were traced to application security issues (source: Data Loss Database)
- The National Vulnerability Database – the U.S. government’s repository of standards based vulnerability management data – publishes at a rate of 13 new vulnerabilities each and every day (source: NIST)
- The costs of a single data breach are daunting: $194 per compromised record, or an average $5.5M per incident (source: Symantec)
- For public companies, data breaches can hammer their valuation. Global Payments stock immediately dropped 9-13% before trading was halted, after its widely reported incident in March 2012
- Companies spend just 0.3% of what they pay for software on ensuring that it is secure (source: Datamonitor)
Alarmed by the potential for widespread social and commercial damage, government and industry regulatory bodies have been strengthening mandates in the area of Application Security. Many organizations are now required to address the risk posed by their applications, perform scheduled risk assessments and compliance audits, and then demonstrate compliance. Some of the many regulations which specifically require data privacy and security include:
- Payment Card Industry (PCI) Security Standards Council monitors compliance of any business accepting electronic payments
- FISMA is the law that requires federal government agencies to provide information security for their operations and assets
- FFIEC is the interagency body of the United States government empowered to secure the online banking and financial service industry
- HIPAA is the law that governs the security and privacy of health data such as patient records in the healthcare industry
- GLBA is the law that governs the collection, protection and disclosure of customers’ personal financial information
- Private contractual mandates: many organizations are contractually obligating their partners to assure security as well.
Software is everywhere. It is increasingly accessible to attack, and the opportunities to exploit its weaknesses are plentiful and painless for those intent on doing so. Applications are the new entry point to steal your critical business data. What’s more, the resulting attacks have proven profitable for cyber criminals. Network- and hardware-based security have both proven ineffective against many of today’s threats. It’s time for increased investment in Application Security to protect the software that runs your business.
In our next post in this AppSec 101 series, we’ll explore what constitutes an AppSec “Center of Excellence”, but also show how easy it is for organizations of any size to get started.
If you want to learn more, check out Veracode’s report on the State Of Software Security Vol. 4 and its webcast with Cyber Security Expert Richard Clarke.
A CISO’s Guide To Application Security – Part 1: Defining AppSec