The U.S. Department of Homeland Security (DHS) states that 90 percent of security incidents result from exploits against defects in software. That's a big statement - and it implies that poor software development may be the biggest cyber threat of all.
You have to wonder if that's an isolated finding in the context of DHS's own experience - or do CISOs, IT security professionals, researchers and analysts, software developers, and application vendors agree?
The “Forrester Wave: Application Security Report”, which evaluates vendors for security and risk professionals, says many firms have rushed to bring applications online, building out consumer-facing websites, buying commercial off-the-shelf (COTS) products, and developing mobile applications to enable and engage with their customers and partners without thinking about the security of the application itself. As a consequence, businesses are exposing their most sensitive corporate and customer data to possible external threats and breaches.
Is the cyber industry over-focused on network security, while applications are the real weak spot?
“Many organizations have significant network security in place but it’s not enough as 84 percent of all cyber-attacks are happening on the application layer” said Tim Clark, Head of Brand Journalism at SAP, in a recent Forbes blog. SAP, headquartered in Walldorf, Germany and U.S. operations in Newtown Square, Pa. is one of the world's largest application security vendors.
Intruders are increasingly targeting the application stack for exploitation, according to the “Cisco 2015 Annual Security Report”. Cisco says the rise of cloud apps and the ubiquity of do-it-yourself (DIY) open-source content management systems (CMS) has created a landscape of vulnerable websites and SaaS offerings. Underlying systems/networking layers managed by IT operations may withstand malicious attacks, but application-level components built by developers are often riddled with vulnerabilities.
What's the disconnect between software development and security?
”The SANS Institute 2015 State of Application Security Report” states that many information security engineers don’t understand software development—and most software developers don’t understand security. Developers and their managers are focused on delivering features and meeting time-to-market expectations, rather than on making sure that software is secure. SANS indicates only a small amount of security testing is done by the development team (21.6 percent) or quality assurance personnel (22.percent) – while the internal security team accounts for most (83.2 percent) of the testing.
Exactly what type of poor software development practices are going on?
CNET recently reported that programmers are copying security flaws in to your software. Programmers don’t write all of their code. They routinely borrow code from others, and they’re not checking the code for security flaws. This widespread practice opens the door for hackers to have broad impact with just a few exploits.
Why is this happening?
“The security industry is overly-focused on testing and scanning for known vulnerabilities in software after it’s been released, and under-focused on poor software development practices that lead to vulnerable applications that hackers can exploit" says Frank Zinghini, CEO of Applied Visions, Inc., a software development company providing solutions in cyber security, business applications, and command and control systems to government and commercial customers worldwide. "Application security has to be part of the early stages of the SDLC (software development lifecycle); not tacked on at the end when finding and fixing the vulnerabilities is far more costly” adds Zinghini.
Is there a remedy?
In a recent CIO Journal, published by the Wall Street Journal, James Kaplan, a partner at McKinsey & Co. and co-author of “Beyond Cybersecurity: Protecting Your Digital Business” said “A far better model (for software development) would be if you were teaching your developers how to write secure code, were including security architects in the development process from day one of the project, and investing in tools for secure development. Then you have many fewer flaws at the end of the process.” He added “Most developers have not been trained on secure coding practices.”
Are corporations planning to beef up their application security?
More than half of respondents to a SANS Institute survey expect spending on application security programs to increase over the next year (more than a quarter expect spending to increase significantly), and only 3 percent expect to spend less.
Do startups stand a better chance?
Bessemer Venture Partners (BVP) – one of the most well respected tech industry venture capital firms – authored a white paper that states application software development is the most critical business function in the early days of most startups today. The paper states “the most important feature of secure development is written and periodic in-person (security) training by your senior developers”.. and “the second basic feature of secure development is source code analysis – the automated discovery of vulnerabilities”. Arguably startups stand a better chance to get it right since they are not burdened with legacy applications the way most large corporations are.
Who can help?
Application testing and security is big business, and there are many vendors and service providers specializing in the field.
According to market researcher ReportsnReports, North America is the largest market for security testing services. Markets and Markets expects this market alone to grow from $2.47 billion in 2014 to $4.96 billion by 2019, at an estimated Compound Annual Growth Rate (CAGR) of 14.9 percent from 2014 to 2019.
Major vendors who play in the application security space include IBM (Appscan) and HP (Fortify). Veracode provides application scanning and protection in the cloud. Checkmarx is a leading SAST (static application security testing) and DAST (dynamic application security testing) vendor. Code Dx, Denim Group, and a handful of others provide niche solutions that integrate with the major vendors. High-Tech Bridge provides the Immuniweb service which combines web application scanning and live bodies who provide penetration testing services. PwC recently signed a deal to provide the Immuniweb service to its clients.
Do your own research and you'll find dozens of application security vendors. But the better starting point might be a consultant or services company who can help you get a better handle on the application threatscape - and how to approach the unique application security needs of your enterprise.