The U.S. Department of Homeland Security (DHS) states that 90 percent of security incidents result from exploits against defects in software. That's a big statement - and it implies that poor software development may be the biggest cyber threat of all.
You have to wonder if that's an isolated finding in the context of DHS's own experience - or do CISOs, IT security professionals, researchers and analysts, software developers, and application vendors agree?
The “Forrester Wave: Application Security Report”, which evaluates vendors for security and risk professionals, says many firms have rushed to bring applications online, building out consumer-facing websites, buying commercial off-the-shelf (COTS) products, and developing mobile applications to enable and engage with their customers and partners without thinking about the security of the application itself. As a consequence, businesses are exposing their most sensitive corporate and customer data to possible external threats and breaches.
Is the cyber industry over-focused on network security, while applications are the real weak spot?
“Many organizations have significant network security in place but it’s not enough as 84 percent of all cyber-attacks are happening on the application layer” said Tim Clark, Head of Brand Journalism at SAP, in a recent Forbes blog. SAP, headquartered in Walldorf, Germany and U.S. operations in Newtown Square, Pa. is one of the world's largest application security vendors.
Intruders are increasingly targeting the application stack for exploitation, according to the “Cisco 2015 Annual Security Report”. Cisco says the rise of cloud apps and the ubiquity of do-it-yourself (DIY) open-source content management systems (CMS) has created a landscape of vulnerable websites and SaaS offerings. Underlying systems/networking layers managed by IT operations may withstand malicious attacks, but application-level components built by developers are often riddled with vulnerabilities.
What's the disconnect between software development and security?
”The SANS Institute 2015 State of Application Security Report” states that many information security engineers don’t understand software development—and most software developers don’t understand security. Developers and their managers are focused on delivering features and meeting time-to-market expectations, rather than on making sure that software is secure. SANS indicates only a small amount of security testing is done by the development team (21.6 percent) or quality assurance personnel (22.percent) – while the internal security team accounts for most (83.2 percent) of the testing.
Exactly what type of poor software development practices are going on?
CNET recently reported that programmers are copying security flaws in to your software. Programmers don’t write all of their code. They routinely borrow code from others, and they’re not checking the code for security flaws. This widespread practice opens the door for hackers to have broad impact with just a few exploits.
Why is this happening?
“The security industry is overly-focused on testing and scanning for known vulnerabilities in software after it’s been released, and under-focused on poor software development practices that lead to vulnerable applications that hackers can exploit" says Frank Zinghini, CEO of Applied Visions, Inc., a software development company providing solutions in cyber security, business applications, and command and control systems to government and commercial customers worldwide. "Application security has to be part of the early stages of the SDLC (software development lifecycle); not tacked on at the end when finding and fixing the vulnerabilities is far more costly” adds Zinghini.
Is there a remedy?
In a recent CIO Journal, published by the Wall Street Journal, James Kaplan, a partner at McKinsey & Co. and co-author of “Beyond Cybersecurity: Protecting Your Digital Business” said “A far better model (for software development) would be if you were teaching your developers how to write secure code, were including security architects in the development process from day one of the project, and investing in tools for secure development. Then you have many fewer flaws at the end of the process.” He added “Most developers have not been trained on secure coding practices.”
Are corporations planning to beef up their application security?
More than half of respondents to a SANS Institute survey expect spending on application security programs to increase over the next year (more than a quarter expect spending to increase significantly), and only 3 percent expect to spend less.
Do startups stand a better chance?
Bessemer Venture Partners (BVP) – one of the most well respected tech industry venture capital firms – authored a white paper that states application software development is the most critical business function in the early days of most startups today. The paper states “the most important feature of secure development is written and periodic in-person (security) training by your senior developers”.. and “the second basic feature of secure development is source code analysis – the automated discovery of vulnerabilities”. Arguably startups stand a better chance to get it right since they are not burdened with legacy applications the way most large corporations are.
Who can help?
Application testing and security is big business, and there are many vendors and service providers specializing in the field.
According to market researcher ReportsnReports, North America is the largest market for security testing services. Markets and Markets expects this market alone to grow from $2.47 billion in 2014 to $4.96 billion by 2019, at an estimated Compound Annual Growth Rate (CAGR) of 14.9 percent from 2014 to 2019.
Major vendors who play in the application security space include IBM (Appscan) and HP (Fortify). Veracode provides application scanning and protection in the cloud. Checkmarx is a leading SAST (static application security testing) and DAST (dynamic application security testing) vendor. Code Dx, Denim Group, and a handful of others provide niche solutions that integrate with the major vendors. High-Tech Bridge provides the Immuniweb service which combines web application scanning and live bodies who provide penetration testing services. PwC recently signed a deal to provide the Immuniweb service to its clients.
Do your own research and you'll find dozens of application security vendors. But the better starting point might be a consultant or services company who can help you get a better handle on the application threatscape - and how to approach the unique application security needs of your enterprise.
• Ty Miller, Director, Threat Intelligence
• Mark Gregory, Leader, Network Engineering Research Group, RMIT
• Jeff Lanza, Retired FBI Agent (USA)
• Andy Solterbeck, VP Asia Pacific, Cylance
• David Braue, CSO MC/Moderator
What to expect:
Hear from industry experts on the local and global ransomware threat landscape.
Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way.
Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence.
Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.
• Anthony Caruana – CSO MC and moderator
• Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon
• John Lindsay, Former CTO, iiNet
• Skeeve Stevens, Futurist, Future Sumo
• David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty
This webinar covers:
- A 101 on metadata - what it is and how to use it
- Insight into a typical attack, what happens and what we would find when looking into the metadata
- How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation
- Learn how much raw data and metadata to retain and how long for
- Get a reality check on how you're using your metadata and if this is enough to secure your organisation
CSO Webinar: How banking trojans work and how you can stop them
• John Baird, Director of Global Technology Production, Deutsche Bank
• Samantha Macleod, GM Cyber Security, ME Bank
• Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)
- Mike Harris, Engineering Services Manager, Jetstar
- Christopher Johnson, IT Director APAC, 20th Century Fox
- Brent Maxwell, Director of Information Systems, THE ICONIC
- IDG MC/Moderator Anthony Caruana