Five Things CEOs Need to Know About Application Security

Companies continue to turn to internet applications to meet their business needs and store and process customer and employee data. Unfortunately, internet applications are also now the primary target for hackers. Breaches damage customer confidence and can be costly, making it crucial that these internet applications are secure. Application security spending is one of the largest portions of an organization’s security budget and is expected to increase in the next several years, according to Gartner's 2017 Information Security Spending study.

Here are the top five things CEOs need to know as they assess their organizational application security.

Vulnerabilities Are Widespread 

Software vulnerabilities have been widespread since the early days of the internet. Passwords are often stored in code as plain text, and servers frequently leak sensitive operation system information through error messages. As technology continues to get more sophisticated, hacking techniques are also getting more complex.

The most prominent vulnerability in 2017 was injection, where hackers are able to input hostile code into applications through a website. When interpreted by the website, injection may have catastrophic effects due to a lack of input-validation safeguards employed by the site. Another technique is called broken authentication, which allows hackers to bypass the mechanisms applications use to identify people digitally, giving the hacker full access to user accounts. Most vulnerabilities involve the areas of a site where users enter or receive data, such as login screens, portals taking users to additional functionality, pages with input forms, and display screens.

Training Is Key

Of the over 18 million software developers in the world, it’s estimated that fewer than 1% of them, or 180,000, are trained in secure coding principles.

There are numerous known software vulnerabilities, and it requires years of training and experience for a developer to easily identify these threats within lines of code. Most security programs use a top-ten-vulnerability list compiled every three years by the Open Web Application Security Project (OWASP) to know which security vulnerabilities they should be watching out for. This list is considered the standard by which software security is measured, but as there are far more than ten known vulnerabilities targeted by hackers, it’s not comprehensive.

Train Your Development Team

Software vulnerabilities begin and end with software developers. Typically, it’s more cost effective and impactful to train developers to avoid introducing vulnerabilities up-front than it is to have a team find and fix these security issues after the application has been put into production. With the rapidly changing pace of technology and cybersecurity threats, colleges are frequently behind on teaching developers to fix common security concerns. Encouraging a base level of security knowledge is helpful. The rapidly changing landscape also means training will need to continue periodically for all developers regardless of skill or experience level.

Organizations that develop their own applications, whether to use internally or drive revenue, must make sure development teams are using secure development practices. This not only supplies application users with a stronger product, but also provides a greater return on investment for your company.

Automated Scanning Tools Miss the Mark                       

Static analysis scanners that compile and analyze code are often used because they seem like an efficient solution, but often that’s not the case.

While these scanners interact well with many languages and frameworks, they aren’t always accurate. Their results require examination and vetting by an experienced security engineer to determine which results are real and which are false positives. These tools will only find about 45% of the types of vulnerabilities that may be present, so understanding their limitations is key.

Don’t Forget Vendor Vulnerabilities

It's important to understand your vendors’ vulnerability reporting and management processes. Asking them the following questions can shed light on their processes:

  • How do you find vulnerabilities in your software or infrastructure?
  • When you find vulnerabilities, how do you report them to customers?
  • How do you communicate workarounds and the need for patches?

If a vendor doesn't notify you of vulnerabilities in a timely manner, your business won’t be able to assess the issue’s potential impact or prioritize a response. This increases your company’s risk.

The Sooner You Review, The Better

From defining requirements to deployment, every step of the software development cycle has the potential to create security issues. Often, security is the last thing on the agenda because of budget and timeline restraints. Incorporating it into the process from the very beginning—known within the industry as shifting security left—may help reduce the amount of damage control required at the end of the development cycle and reduce costs.

When vulnerabilities are identified, developers should be equipped with tools and training to address them. Ideally, it would be the responsibility of the whole team to deploy secure applications. Shifting the culture to prioritize safety can help companies meet that goal.

We’re Here to Help

For more information about reviewing your company’s application security and developing protections against vulnerabilities, contact your Moss Adams professional or visit our cybersecurity page.