Getting Application Security Back on the Rails | The State of Security
In its Interagency Report 7695, the National Institute of Standards and Technology (NIST) defined an application as “a system for collecting, saving, processing, and presenting data by means of a computer.” This broad term covers enterprise applications, consumer applications, and even phone apps. Security is important in all these types of applications, but the focus is not always the same. Let’s explore how below.
How Security Differs Across These App Types
Enterprise applications are applications used by businesses and corporations, and they are often required to meet compliance standards like PCI DSS and HIPAA. As such, there can be legal and financial issues if their software is knowingly left unsecure. Take an organization’s Point-of-Sale (POS) systems as an example. Some organizations might link these systems to other enterprise applications that lack proper PCI protection. If they do, they could incur penalties such as monetary fines and damage to their reputation.
For another example of an enterprise application, consider an organization that’s responsible for protecting patients’ protected health information (PHI). It’s their obligation under HIPAA to store that information securely and to prevent unauthorized individuals from obtaining access to that data. Transmitting PHI via a public fax line or via unencrypted emails does not uphold their compliance obligations and thereby puts them at risk of incurring a HIPAA violation fine.
These security requirements change with consumer apps and phone apps. Programs in the former category do not generally get the same security scrutiny as enterprise applications, so they come with fewer compliance obligations. And phone apps have the lowest security of all.
Why Application Security Is Lacking
Not all organizations are too concerned with their applications’ security these days. Provided below are a few reasons why:
- Time to market is king: Amid the ongoing IoT craze, every device imaginable is being pushed to have remote access over the internet. The apps that help to administer these devices are being created quickly, and oftentimes, security is not as important as time to market. This is not limited to IoT apps. It even happens with many shopping, business, and food delivery apps, too.
- Lack of security experts: People with security expertise and background are in high demand these days. In a 2020 survey, Tripwire learned how 83% of security experts felt more overworked going into 2020 than they did a year earlier. (That was before the pandemic; imagine how they must have felt a year later!) About the same proportion (85%) of respondents said it had become more difficult over the past few years to hire skilled security professionals. This skills gap makes it more difficult for organizations to hire experts who can help lead the charge in securing their applications.
- Misunderstanding of roles: Many new applications rely on cloud services, and there is often a gap in the understanding of relevant security roles and responsibilities. It is often assumed that the cloud vendor is responsible for taking care of all the security needs. (That is not the case. Check the Shared Responsibility Model.) The same errant thinking holds true for phone apps where it is just assumed that the phone OS protects everything.
Application Security Best Practices
It doesn’t have to be this way. Organizations can harden the security of their applications by following some key best practices. Before the release of any application, for instance, there should be a detailed security assessment that includes checking for vulnerabilities in both the company code as well as any third-party code and packages. Not every known vulnerability is a high priority, of course, so organizations need to consider conducting a risk prioritization of their security flaws. They can then create a patching schedule that addresses known vulnerabilities based upon their priority. No product, application, or app should ever be released with high priority vulnerabilities that can be exploited, whereas low priority vulnerabilities that do not leak data or cannot be used to exploit a device can be deferred to the next release at times.
Vulnerabilities are not always the biggest concern for organizations, either. Secure configurations are much more of a widespread issue—especially when it comes to cloud environments. In a survey of attendees at Black Hat USA 2019, 84% of respondents told Tripwire that it was difficult for their organization to maintain secure configurations in the cloud. Nearly a fifth (17%) of those survey participants said it was “very difficult.” Those findings help to explain why three-quarters of security professionals in the study said it was easy to accidentally expose data through the cloud.
How Tripwire Can Help
Not every organization can manage the vulnerabilities and secure configurations of their applications on their own. In response, organizations can look for a vendor that has a proven track record of helping its customers manage these security functions across their environments.
Learn how Tripwire can help organizations implement these controls with their applications.