eGuide In this eGuide Application Security Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Enterprises around the world are facing what could be called the most aggressive threat environment in the history of information technology. Disruptive computing trends are emerging that offer increased employee productivity and business agility, but at the same time introduce a host of new risks and uncertainty. Applications are no exception – the ways that developers create the programs that support the business are always evolving, but security measures to protect these new applications struggle to keep up. When it comes to commercial applications, patching security holes is a must – yet so often these holes are left unplugged and vulnerabilities find their way into the corporate network. In this eGuide, CIO and sister publications CSO and InfoWorld bring you news, opinions, research and advice regarding the risks that enterprises face from lackluster application security, and steps that can be taken to improve IT defenses. Read on to learn more about application security trends and approaches for today’s insecure world. Resources How to Improve Your Application Security Practices The number of serious vulnerabilities in applica- tions are declining, but they are still common. Improving your application security posture requires determin- ing whether you’re a target of opportunity or a target of choice and understanding your development lifecycle Is Application Secu- rity the Glaring Hole in Your Defense? Organizations on average spend one-tenth as much on application security as they do on network security, even though SQL injection attacks are the highest root cause of data breaches. Experts say educating devel- opers in writing secure code is the answer Third-party Apps Ripe Targets for Cybercriminals 86% of all vulnerabilities in 2012 pinned to non- Microsoft apps 3 Questions: Etsy, Ecommerce and Application Security Dinis Cruz on what we do, and don’t, know about web security practices Survey Raises Specter of Massive Enterprise Software Insecurity Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components The Two Steps to Radically Better Security Stop wasting your money and do computer secu- rity right with two common- sense practices Application Security Resources Tips and tools to help make your critical applications more secure Sponsored by
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
eGuideIn this eGuide
Application Security
Improve Application Security Practices
Third-party Apps Ripe Targets for Cybercriminals
Etsy, Ecommerce and Application Security
Is Application Security the Hole in Your Defense?
Massive Enterprise Software Insecurity
Radically Better Security
Enterprises around the world are facing what could be called the most aggressive threat environment in the history of information technology. Disruptive computing trends are emerging that offer increased employee productivity and business agility, but at the same time introduce a host of new risks and uncertainty. Applications are no exception – the ways that developers create the programs that support the business are always evolving, but security measures to protect these new applications struggle to keep up. When it comes to commercial applications, patching security holes is a must – yet so often these holes are left unplugged and vulnerabilities find their way into the corporate network.
In this eGuide, CIO and sister publications CSO and InfoWorld bring you news, opinions, research and advice regarding the risks that enterprises face from lackluster application security, and steps that can be taken to improve IT defenses. Read on to learn more about application security trends and approaches for today’s insecure world.
Resources
How to Improve Your Application Security PracticesThe number of serious vulnerabilities in applica-tions are declining, but they are still common. Improving your application security posture requires determin-ing whether you’re a target of opportunity or a target of choice and understanding your development lifecycle
Is Application Secu-rity the Glaring Hole in Your Defense? Organizations on average spend one-tenth as much on application security as they do on network security, even though SQL injection attacks are the highest root cause of data breaches. Experts say educating devel-opers in writing secure code is the answer
Third-party Apps Ripe Targets for Cybercriminals
86% of all vulnerabilities in 2012 pinned to non-Microsoft apps
3 Questions: Etsy, Ecommerce and Application Security
Dinis Cruz on what we do, and don’t, know about web security practices
Survey Raises Specter of Massive Enterprise Software Insecurity
Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components
The Two Steps to Radically Better Security
Stop wasting your money and do computer secu-rity right with two common-sense practices
Application Security Resources
Tips and tools to help make your critical applications more secure
How to Improve Your Application Security PracticesBy Thor Olavsrud • CIO
Organizations talk a good game when it comes to security,
but many still focus the majority of their security resources
on the network rather than their applications--the vector
for most data breaches. Many organizations dedicate less
than 10 percent of their IT security budget to applica-
tion security, according to a study by research firm the
Ponemon Institute, released in 2012.
The reasons for this gap are multifaceted, says Jere-
miah Grossman, founder and CTO of WhiteHat Security,
provider of a continuous vulnerability assessment and
management service for thousands of Web sites, includ-
ing the Web sites of dozens of Fortune 500 companies.
First, he says, many security professionals have a blind
spot for software.
“Most of the security guys out there are not software
people,” he says. “They come from an IT background. All
they really know how to do is protect the network.”
Second, regulatory compliance and the cruft that
comes with regulations based on past threats also play a
role in Grossman’s view. “Organizations must comply,” he
says. “They spend the lion’s share of their budget first on
firewalls and antivirus because the compliance regulators
mandate it.”
Prioritizing Application Security Is a ChallengeIt is often difficult for the organization to prioritize applica-
tion security over revenue-generating development work,
he says. Even when organizations identify serious vulner-
abilities in their Web sites, it’s not necessarily a simple
decision to fix them.
“The organization has to fix it themselves,” he says.
“The business has to decide: ‘Do we create revenue-gen-
erating features this week? If we don’t deliver those fea-
How To
Improving your application security posture requires determining whether you’re a target of opportunity or a target of choice and understanding your develop-ment lifecycle
dropping to an average of 38 days-much shorter than the
average of 116 days in 2010. “The developers know that
38 days is actually a really, really good number because
they know how long it does take,” Grossman says. “But to
the end users, 38 days is unacceptable.”
Steps to Improve Your Security PostureTo improve your application security posture and make
the best possible use of your IT security budget, Gross-
While 2011 was dubbed the Year of the Breach, it was also a year in which the average number of serious vulnerabilities in Web sites showed a marked decline.
but what we also found was a drastic divide between the
IT security and development organizations that is caused
by a major skills shortage and a fundamental misunder-
standing of how an application security process should
be developed. This lack of alignment seems to hurt their
business based on not prioritizing secure software, but
Is Application Security the Glaring Hole in Your Defense?
Organizations spend one-tenth as much on application security as they do on network security. Experts say educating developers in writing secure code is the answer.
The study found that security practitioners and develop-
ers were far apart in their perception of the issue. While
one might expect that security practitioners held the more
cynical views with regard to application security, in fact
the opposite was true. Dr. Ponemon says 71 percent of
developers say application security was not adequately
emphasized during the application development lifecycle,
compared with 49 percent of security practitioners who felt
the same way. Additionally, 46 percent of developers say
their organization had no process for ensuring security is
built into new applications, while only 21 percent of secu-
rity practitioners believed that to be the case.
Developers and security practitioners are also divided
on the issue of remediating vulnerable code. Nearly half
(47 percent) of developers say their organizations have no
formal mandate to remediate vulnerable code, while 29
percent of security practitioners say the same.
The survey also found that nearly half of developers say
there is no collaboration between their development organi-
zation and the security organization when it comes to appli-
cation security. That’s a stark contrast from the 19 percent
of security practitioners that say there is no collaboration.
Lack of Collaboration in Application Security“We basically found that developers were much more likely
to think there was a lack of collaboration,” Dr. Ponemon
says. “The security folks, on the whole, thought the collabo-
ration was OK. I think that one of the biggest problems is
that the security folks think they’re getting the word out on
collaborating or helping, but they’re not doing so effectively.”
In other words, Dr. Ponemon says, the security organi-
zation writes its security policy and gives it to developers,
but the developers, by and large, don’t understand how
to implement that policy. The security organizations think
they’ve done their job, but they haven’t managed to make
their policy contextual for developers.
“We find that process has no bearing whatsoever on
the ability of an organization to write secure code,” Dr.
Ponemon says. “It doesn’t take any longer to write a line of
secure code than it does to write a line of insecure code.
You just have to know which one to write.”
But knowing which line of code to write seems to be a
large part of the problem. The study found that only 22
percent of security practitioners and 11 percent of devel-
opers say their organization has a fully deployed applica-
tion security training program. Fully 36 percent of security
practitioners and 37 percent of developers say their
organization had no application security training program
and no plans to deploy one.•
71 percent of developers say application security was not adequately emphasized during the application development lifecycle; 46 percent say their organization had no process for ensuring security was built into new applications; nearly half say there is no collaboration between their development organization and the security organization when it comes to application security.
products, Microsoft’s User Account Control (UAC), Unix/
Linux’s sudoers functionality, or any other method or
product that accomplishes the same goal.
The dirty little secret is that removing elevated privi-
leges still won’t seal off your defenses. Lots of mali-
cious programs can run or be installed without elevated
security privileges. Malicious programs can accomplish
nearly every wanted outcome without the user logged in
as Administrator or root. They can steal passwords and
identities, as well as redirect browsers to places the user
didn’t intend to go. Nonetheless, you can reduce risk
somewhat if users have fewer privileged accounts while
reading email or surfing the Web.
Lastly, don’t neglect end-user education. After ap-
plication control, it’s the best way to prevent unwanted
programs from being installed -- when it’s done right.
Most end-user education misses obvious points and
refers to outdated threats. Get the backing of manage-
ment, conduct mandatory sessions on a regular basis,
and ensure your instruction is current and specific to
your organization. When users know what their own
antimalware software looks like, they’re much less likely
to fall for the fake stuff.
Patch everything fasterThe other best defense is to patch all software in a
timely way. This has been a mantra for more than two
decades now, which is why it’s so surprising that so
few companies patch as quickly as they should. Yes,
they’re doing better at patching operating systems, but
they do a horrible job at patching the most popular
Internet add-on products, like Oracle Java or Adobe
Acrobat, both of which have been ranked as the most
exploited products for years.
A corollary to controlling what can be installed is restricting who can install it. To prevent the easy installation of programs that have not been reviewed or approved, don’t let anyone run with elevated privileges or permissions most of the time.