Application security remains a challenge
Solving the problem of software security requires businesses to consider a range of approaches, says Quocirca's Bob Tarzey
A new Quocirca report has underlined the scale of the application security challenge faced by businesses. The average enterprise tracks about 500 mission-critical applications, and in financial services organisations this is closer to 800. Increasing numbers of these applications are web enabled, SaaS based, or running on mobile devices.
Security failures leave businesses vulnerable to hackers and malware, and auditors expect application security to be demonstrable. In addition, customers, with whom they share business processes via applications, are also more likely to seek security guarantees.
Fixing security flaws upfront wherever possible also makes sense because of the cost involved in doing so after software is deployed. Resellers can help their customers here.
For in-house-developed software, better practice can be ensured through developer training. Many businesses will need assistance to achieve this. Due diligence during procurement is necessary, seeking assurances from ISVs, and resellers that sell application software could do this as part of their value-add. Of course, such measures cannot ensure software is 100 per cent secure.
For this reason, application scanning, manual penetration (pen) testing and web app firewalls (WAFs) should also be considered.
Scanning software aims to eliminate flaws in the first place. Static scanning of code or binaries can be done before deployment, or binaries can be scanned dynamically during testing or after deployment. Static scanning is pervasive, examining every line of code.
Scans can be done whenever necessary. On-demand scanning services are increasingly favoured, as the providers of such services have visibility of thousands of applications scanned on behalf of customers. Such services are often charged for per application, so unlimited scans can be performed. These on-demand services can be affordable and scalable for all applications, mission-critical or not. VARs may sell these tools or, better still, use scanning services to verify code before recommending apps to their customers.
Achieving the right mix
Pen testing, where specialist third parties test app security and defence effectiveness using white-hat hackers, means deliberately trying to break into applications. Because actual people are involved, pen testing is relatively expensive and carried out periodically; new threats may emerge between tests. Most organisations will find pen testing unaffordable for all but the most sensitive and vulnerable applications. Resellers could offer pen testing services or seek referral fees from specialist partners.
WAFs are placed in front of applications to protect them from application-focused threats. They are trickier to deploy than traditional network firewalls but do nothing to fix underlying software flaws. WAFs also need to adjust for traffic volumes, as more traffic means more cost. However, they represent a product resale opportunity.
Many organisations use multiple approaches to maximise protection. Interestingly, since one of the reasons for demonstrating software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example, the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.
Organisations have to use computer software of one sort or another - and using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes. These are all goals that resellers should be helping their customers achieve.
Bob Tarzey is a research analyst and a director of Quocirca