It’s 10 o'clock – do you know what your IT security team is doing?

While it may be obvious that addressing vulnerabilities eats up the most time for IT security pros, what may surprise you is the source of those vulnerabilities.

Most people think that IT security professionals spend most of their time thwarting external threats from hackers, cybercriminals and bad actors from the Dark Web. In fact, infosec pros find the biggest time suck coming from addressing security vulnerabilities introduced by applications developed in-house or even from off-the-shelf purchases. In fact, as a survey of attendees at this summer’s Black Hat conference indicates, “Most enterprises are not spending their time, budget and staffing resources on the problems that most security-savvy professionals consider to be the greatest threats.”

While the threat of targeted attacks is something that most IT professionals fear, most of their time is spent addressing application vulnerabilities. Many professionals understand that they live in a world of “when, not if” there will be an external attack, but their day-to-day demands don’t allow them to address the myriad ways that they could be compromised.

The survey reported that, “More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35 percent) and vulnerabilities introduced by off-the-shelf software (33 percent). The data suggests that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.”

Application security leaves a lot to be desired

 “Every piece of software has vulnerabilities, and a lot of those vulnerabilities have never been tested,” says Chris Eng, vice president of research at Veracode. The end result is that security teams focus more on application weaknesses than they do on sophisticated targeted attacks, accidental end user data leaks, polymorphic malware and phishing attacks.

[Related: Does quantum cryptology offer hack-proof security?]

Addressing application vulnerabilities is so time consuming, Eng says. “Because of the hundreds and thousands of applications running on the network. For example, many banks use legacy software which was created over 10 years ago when there was no talk of security,” he says. As more enterprises rely on a greater number of applications, their environments become more vulnerable.

Running older software is only one piece of the problem compounded by running multiple applications because, “A lot of products haven’t done application security at all,” says Eng.

“To test all Web applications,” Eng says, “would mean taking something and making the site do what it’s not supposed to do. Historically enterprises have used pen testers, which means test for two weeks, report, fix, repeat. Fixing means adding new features, but multiply that by the thousands of applications running. How many consultants do you need?”

Automation is your friend

A key take-away from Black Hat attendees: “Security pros are not spending their time and budget in a manner that is commensurate with their concerns about current threats. While issues such as compliance and application security take a significant amount of their time, they need greater leeway to focus on emerging threats such as targeted attacks and social engineering exploits that pose the greatest danger to their organizations.” 

A solution to the time-consuming task of addressing security vulnerabilities is baking automation into the security development lifecycle. “Automation can run a test every night,” Eng says.  Rather than spending time working with developers to fix holes in applications that have identified vulnerabilities, IT professionals can run automated security tests on all of their applications.

[Related: 4 new cybercrime trends threaten your business]

 “By empowering all of your different developments to use the same platform to self-test, it reduces the single point of failure,” Eng says. Automation allows enterprises to better understand the risks that are introduced in both their own applications and off-the-shelf purchases of applications or systems.

Due to the scope and scale of the problem, Eng says, “If you aren’t looking at everything, then you might as well be looking at nothing.” To choose the 10–50 applications they want to test and then fix them does little to address the entire scope of vulnerabilities that are going undetected. The bottom line, says Eng, is that “any mistakes the developers make, the company’s development operations are going to make as well.” 

According to Eng, automation “allows enterprises to understand the risks that are coming in. It helps companies scale security programs, provides visibility and sets policies because you want an understanding of the security posture of everything you are purchasing.”

The criminal needs only one point of entry to successfully infiltrate a network, but the more visibility an enterprise has, the more they can safeguard their environments. “Automation can’t find everything, but it gives you a way to make sure developers are thinking about this every day,” Eng says.

Join the CSO newsletter!

Error: Please check your email address.

More about Application security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place