Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

IBM & Ponemon Institute Study: Organizations “Don’t Know what they Do Know” when it comes to Application Security

March 2016 by IBM & Ponemon Institute

It’s becoming virtually impossible to escape. As a consumer, every time you go shopping, attend a major event, post content to social media or listen to the radio, you’re encouraged to download new, customized applications from content providers. Similarly, customer demand for new or updated functionality has shortened software release-cycles and led to an explosion of software-based games, fitness applications and quickly-evolving versions of popular social media content.

As a result of this market reality, organizations need to rapidly introduce new applications, in order outpace competition and meet customer demand. Gartner predicts that by 2017, market demand for mobile application development services will grow at least five times faster than internal IT organizations’ capacities to deliver them.

AppSec Risk Management Evolves from “Nice to Have” to Mission-Critical Requirement

In the legacy environment of longer release-cycles and less frequent updates, organizations could treat application security risk management as a “nice to have.” However, the current explosion of new applications has made application security risk management a mission-critical requirement.

Consider the following statistics:

• According to IBM X-Force Data, 28% of overall vulnerability disclosures in 2015 were targeted at Web applications.
• It’s been reported that at any given time, malicious code infects more than 11.6 million mobile devices (to put that figure into perspective, it’s roughly equivalent to the population of Ohio)
• A 2015 Ponemon Institute report, sponsored by IBM, found that 50% of companies have zero budget dedicated to mobile app security.

To spotlight this growing area of potential risk, a new study from IBM and Ponemon Institute surveyed application security professionals to determine their effectiveness at managing application security risk. The results reveal some several eye opening trends when it comes to how organizations are approaching application security, and why many approaches are falling short.

Key Finding: Application Expansion and Rush to Release have increased Security Risk

It’s no surprise that pressure to release apps quickly has been a leading cause of security missteps, and our latest survey results reveal that many organizations don’t address the problem effectively.

• 56% of respondents say their organizations are influenced by pressure to release new apps quickly: App developers are primarily focused on business value, user experience and addressing user inconveniences that apps seek to resolve. As a result, many developers miss “big picture” implications of applications beyond the apps’ core purposes, as well as potential “big headaches” such as security vulnerabilities.
• 35% of respondents say their organizations do not perform any major application security testing methods prior to application deployment: Application Security Testing permits organizations to address potential application vulnerabilities, by remediating them prior to application release. The survey indicates that basic security steps like those are often neglected, even though they represent a critical development lifecycle requirement.

Key Finding: Organizations struggle to manage applications they currently have in production

While the rush to release is creating a flood of new apps with questionable security protection right out of the starting-gate, perhaps an even bigger concern is – what happens to those apps once they’ve been deployed?

Among the most alarming findings of our study, respondents admitted that their organizations are struggling to keep tabs on apps they currently have in use, let alone secure them.

• 69% of respondents don’t know all of the apps and databases currently active in their organizations: Unfortunately, the 69% figure isn’t a misprint. Development teams are frequently unable to keep tabs on apps that have already been deployed into their organizations, or fully digest potential risks that have been introduced into corporate systems.
• 46% of respondents say their organizations don’t actually take basic security measures to remediate vulnerabilities: How can organizations protect their applications, when they don’t even engage in basic security measures, such as Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) and Interactive Application Security Testing (IAST)?

We anticipate that these issues will continue to present more significant challenges, as a growing number of apps are introduced and others require more frequent updates.

Break the Rush to Release Cycle and Secure Your Expanding App Infrastructure

While the picture painted by the recent survey results are grim, there are simple steps that organizations can take to break the rush to release cycle and secure their growing application empires. In a nutshell, organizations need to move from a “whack-a-mole” approach of fixing applications one at a time to a more strategic, risk management framework.

Here are a few steps IBM recommends to get you started:

1. Get the Full Picture:
• Coordinate with other divisions and geographic regions to determine which apps are currently actively being utilized throughout your organization. Maintain a list of the applications, update it on a regular basis and track your remediation progress.
• Determine which apps are past their support lifespans and find out how you’re protecting them.
• Conduct an inventory of applications that are still active, but not used or monitored. In most cases, they should be end-of-lifed immediately, and user access should be terminated.

2. Unify Practices:

According to the study, 65% of sampled respondents say their organizations have fragmented security practices carried out at low levels in the organization.

We recommend the following actions to better unify application security across the enterprise:

• Educate executive management about security risks associated with the expansion of application usage. Demonstrate how a potential breach of a critical application could significantly impact your organization’s brand image and affect its bottom line.
• Select a division within your organization that effectively manages application security, and incorporate its best practices into business-wide educational programs. Spotlight areas where that division has reduced costs or significantly lowered the potential impact of vulnerabilities.
• Register and attend our March 9th Webinar with IBM and the Ponemon Institute, where we will review additional application security best practices. A playback of the Webinar will be made available after the session, at the same link.

3. Staff Up:

The survey found that 70% of respondents believe they don’t allocate sufficient resources to ensure that business-critical apps are kept secure.

You should do the following:

• Invest in security training for your app development teams, and leverage automated application security testing solutions such as IBM Security AppScan to permit developers to test applications quickly, efficiently and independently.
• Take time to assess which of your applications are truly mission-critical “crown jewels”. Examples of crown jewels could be privileged finance, customer relationship management (CRM) and e-commerce applications. Focus on protecting those applications first, and target remediation efforts on the most significant vulnerabilities in those applications.
• Reframe executive management’s mind-set, by educating them on potential costs associated with security breaches. Following that approach will remind them that effective security protection’s way more than a cost center.

4. Get a Handle on Vulnerabilities:

In the study, 46% of respondents confess that growth in security vulnerabilities prevents their security posture from being effective.

We recommend the following actions:

• Utilize application security testing technology that ties into evolving threat data, which will permit you to become more effective at remediating high-priority app vulnerabilities.
• Learn more about IBM’s Cognitive Intelligent Finding Analytics capabilities, which dramatically reduce the number of testing results that you need to manage after conducting “noisy” SAST analysis, which produces a high volume of vulnerability findings.
• Working in conjunction with your management team, decide which risks are too inconsequential or unlikely to have a significant impact on your business. You may wish to accept those app risks.

In summary, only when organizations assess the full scope of their application security preparedness can they begin to prioritize and reduce risks that are introduced by rapidly-growing application infrastructures.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts