In a 2011 Wall Street Journal article, Marc Andreessen, cofounder and general partner of Silicon Valley venture-capital firm Andreessen Horowitz, said, “software is eating the world,” referring to its transformative effects on how companies do business.
This prediction is becoming increasingly true as growing companies turn to digital transformation as a key tenet of their competitive strategies. Across industries and businesses, software applications are having a dramatic influence on business practices, which is leading to sector convergence that’s disrupting industries and customer expectation. While this rapid increase of digital capabilities creates exciting new opportunities, it also creates new risks.
The meaning of digital transformation has significantly changed over the past decade. In 2007, a relatively small percent of CEOs were champions for digital transformation. An organization’s IT department was often in charge of digital technology, while other departments focused on ecommerce, search-engine optimization, and social media data.
Today, digital technologies, particularly software applications, operate as the core of many business operations. It drives the strategies of entire organizations as well as many functional areas, including marketing, sales, operations, and human resources. As a result, the number of CEOs championing digital has skyrocketed. According to a 2018 Gartner study, 87% of senior business leaders say digitalization is a priority and, in many cases, a do-or-die imperative.
Application security spending is one of the largest portions of an organization’s security budget and is expected to increase in the next several years, according to Gartner's 2017 Information Security Spending study. Here are a few technology developments that are shaping how many companies operate.
Rapid Pace of Change
As technology becomes outdated, many organizations struggle to buy or create new software that allows them to keep up with changing trends and technology advancements. This can lead to significant security risks, such as breaches or fraud attempts, which are increasingly focused on an organization's application layer, where valuable, confidential data is housed.
Despite these risks, software applications are an integral part of commerce today. This means the need to quickly buy, develop, and implement software applications won't ebb, and digital transformation will remain an essential part of staying competitive.
Historically, many cybersecurity professionals focused on securing the perimeter of their organization to prevent breaches. A network perimeter uses methods such as firewalls, intrusion detection systems (IDS), and security information and event management (SIEM) products to monitor network security. These barriers protect a company’s internal network from cyberattacks by selectively stopping network traffic from entering the organization’s internal environment and sensitive company data from leaving.
But digital transformation introduced a dramatic increase in the number of connections between an organization’s internal environment and its customers, partners, and suppliers. This results in increased risk and a blurring of the perimeter.
Although not synonymous with digital transformation, cloud technology is key to many organizations’ transformation efforts. And while heavily distributed applications effectively and efficiently use cloud technology, these applications also further strain a company’s perimeter and create many potential exposures.
While perimeter security tactics have received most of the attention historically, attacks on internet-accessible applications have now surpassed traditional network hacking as the primary cause of breaches, according to Verizon's 2018 Data Breach Investigations Report.
Your company’s applications are increasingly the frontline of your organization's cybersecurity defense. Application security, or AppSec, is the practice of strengthening a company’s application layer to protect access to its underlying data. Effective application security locates potential vulnerabilities within your company’s software applications and helps you mitigate or eliminate them.
A software security weakness, or vulnerability, is a bug or defect in the software application that results in unsecure access to, or processing of, critical data. Some vulnerabilities include SQL injection, broken authentication, and cross-site scripting (XSS). Hackers exploit these software vulnerabilities to gain access to organizational systems and data.
Risks and Challenges
Although people within many modern organizations understand the importance of improving cybersecurity, digital transformation has led to many companies falling behind when it comes to improving application security. This oversight can result in application vulnerabilities that expose companies to significant risk. Here are a few reasons companies are spending less time and energy on application security.
- Unawareness of security exposures
- Use of off-the-shelf software
- Proliferation of software applications
- Changes in software development pace and methodology
Unawareness of Security Exposures
Many executives associate cybersecurity with protecting the network perimeter through routers, firewalls, or network IDS. As a result, these applications are often the only focus of many organizations’ cybersecurity programs. This approach leaves many companies exposed to threats through their internet-accessible applications and websites.
In a recent study, the Ponemon Institute surveyed technical and nontechnical executives, asking about the sufficiency of their organization’s cybersecurity efforts. Most nontechnical leaders believed their organization was secure due to its perimeter and application security programs. They also believed their technical teams were developing applications in a way that provided adequate security. Technical leaders, on the other hand, viewed their organizations as much less secure and reported that relatively little was being done regarding application security.
This disconnect can lead to significant issues in a company’s cybersecurity program. According to McKinsey-World Economic Forum study of cybersecurity risk management practices, “Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector and resources provided.”
Use of Off-the-Shelf Software
Many applications driving today's digital transformation are commercial off-the-shelf (COTS) software, which is externally developed software that’s available for an organization to purchase. COTS includes any ready-made software that’s available to the general public and provides a quick, cost-effective method for achieving organizational objectives.
While COTS may be convenient, managing COTS software security can be challenging. COTS software applications often have security vulnerabilities that are difficult—or impossible—for an organization to identify due to accessibility limitations. This can make it challenging for the organization to perform a security review on the applications they implement, which can lead to significant security issues down the line.
Proliferation of Software Applications
By definition, digital transformation touches nearly every part of an organization, streamlining efficiencies and integrating approaches. However, applications can become ineffective, create errors, or introduce vulnerabilities when they’re applied to a decentralized environment.
While digital transformation often relies on an enterprise resource planning system (ERP), a company’s core system is typically integrated with numerous purpose-specific applications. This decentralized environment makes it difficult to determine a company’s application landscape and answer basic structural questions, such as:
- Which applications do we have?
- What do they do?
- What data do they touch?
- Which applications are they connected to?
- What are their vulnerabilities?
- Who’s maintaining each application?
Being unaware of your system’s intricacies makes it far harder to detect issues and protect your IT environment. To learn how to modernize your enterprise resource management system, read our article.
Changes in Software Development Pace and Methodology
Digital transformation requires rapid development and implementation of many software applications, making it extremely difficult for companies to build their own software from the ground up.
Due to development time, cost, and availability, organizations that develop their own software frequently use Agile and DevOps approaches instead of the traditional waterfall approach. While the waterfall approach gives security teams time to test, evaluate, and secure applications, Agile and DevOps use continuous development and release cycles that make it much more challenging to evaluate source-code security unless it’s integrated into the development process. To add to the challenge, development organizations are taking an increasingly modular approach to software development, leveraging third-party applications and components to meet release targets.
In response to these issues, developers often use third-party libraries and open-source source-code components to accelerate the development process. However, the code in these libraries can contain vulnerabilities due to lack of maintenance. Critical vulnerabilities in third-party libraries are often disclosed over time, but they can only be addressed by timely updates to all applications using the code. Even then, there’s no guarantee that all vulnerabilities can be identified and fixed.
Improve Application Security
There are four main steps a company can take to address exposures and improve application security. Here’s a look at each step and its benefit to a growing company.
Perform a Security Assessment
The first step to improving application security is increasing awareness of potential exposures. This requires the awareness of not only the security or software development teams, but also that of the rest of the organization—especially senior management.
A holistic security assessment can help an organization become aware of which applications need increased protection and how to prioritize the use of limited resources. It can also help an organization do the following:
- Better understand how sensitive data is handled
- Gain awareness of potential security exposures to that data
- Determine if exposures stem from security issues on the perimeter or within the application
- Understand the likelihood and impact of exposure
- Prioritize responses in coordination with senior management
Review Your COTS
COTS can be a great solution to drive your organization's digital transformation forward, but the security risks need to be proactively managed. As part of the security assessment, an organization can benefit from reviewing its COTS. Though a third-party application isn’t inherently secure, many COTS security issues can be discovered by a detailed source-code review of the application, despite this process requiring time and resources.
Many organizations, however, have a difficult time gaining vendor permission to access the source code when trying to address COTS security issues. An effective approach is to request the vendor’s secure development practices and vulnerability disclosure policies. This can help you determine if application security is integrated into the COTS provider’s development process, or if it was an afterthought.
Understand Vendor Vulnerabilities
It's also important to understand the vendor's vulnerability reporting and management processes. Asking them the following questions can help with this process:
- When you find vulnerabilities, how do you report them to customers?
- How do you communicate workarounds and the need for patches?
If a vendor doesn't notify you of vulnerabilities in a timely manner, your business won’t be able to assess the issue’s potential impact or prioritize a response. This increases your company’s risk.
Train Your Development Team
Organizations that develop their own applications, whether to use internally or drive revenue, must make sure development teams are using secure development practices. This not only supplies application users with a stronger product, but also provides a greater return on investment for your company.
To do this, your organization can supply development teams with regular computer-based or instructor-led trainings on best practices for creating secure software applications. Most developers don’t receive security training unless it’s provided by their organization, and providing regular training helps ensure your development team is practicing a unified approach that prevents critical vulnerabilities from falling through the cracks.
Perform Application Vulnerability Testing
Prior to procuring or using new software, your organization can locate any current or potential application vulnerabilities and respond proactively by performing application penetration testing and code review.
During this process, trained IT security professionals, or white-hat testers, emulate a cyberattack. They analyze an application’s attack surface, locate exploitable vulnerabilities, and attempt to hack into your system. They then perform secure source-code assessments to discover additional vulnerabilities and determine if proper security controls are present. This method is considered the gold standard of application security. When security is of paramount importance to a company’s future, penetration testing and source-code assessments are the best options for a complete inventory of application security issues.
We’re Here to Help
The rapid increase of reliance on digital capabilities creates exciting new business opportunities, but it comes with new risks that must be managed. Understanding the cybersecurity implications of your company’s technology and developing adequate application security capabilities is critical to surviving and thriving in a technology-driven business environment.
To learn more about how your company can benefit from higher levels of application security practices and awareness, contact your Moss Adams professional.