PODCAST: The case for making ‘application security’ a top priority

CERT-LatestNews ThreatsCybercrime ThreatsEconomic Uncategorized VulnerabilitiesAll VulnerabilitiesApplications VulnerabilitiesDBMS VulnerabilitiesNetwork

By Byron V. Acohido

Convenience has its price. The truism rears its head often in cybersecurity, particularly as web applications delivered via the internet cloud have come to pervade digital commerce.

Nearly all businesses and government organizations now offer services—such as online payments—through web applications. And the staggering amount of data flowing through such applications presents golden opportunities for hackers.

The enterprise application market was valued at about $150 billion in 2015, and it’s anticipated to grow 7.6 percent a year from 2016 to 2024, according to Global Market Insights estimates.

Related story: Rising use of cloud apps creates data leakage pathways

Not surprisingly, hacker attacks on web applications are ceaseless and constant. And enterprises need more efficient and quicker ways to fix their software applications, particularly in coding and developing phases, to address vulnerabilities before they’re shipped to a cloud server farm, says Chris Prevost, vice president of solutions at Prevoty.

Web app security emerges as niche market

His firm is one of the more recent entrants in the growing business of cybersecurity services that are marketed to web application developers and the companies whose business is heavily reliant on them.

Chris Prevost, Prevoty vice president of solutions

“You hear stories about botnets that are out there. … A lot of times those botnets are constantly scanning web properties, looking for ways to get in,” Prevost says. “They’re throwing little interesting payloads of those applications, trying to see if they can make that application do something that it wasn’t supposed to do.”

Companies with web applications can test them by intentionally deploying malicious payloads at them.

Prevoty also can run security analysis to discover flaws in the source code—while code lines are being written—to address vulnerabilities.

“The reality is that those technologies find a lot of problems because, guess what, the software we write is really complicated,” he says.

Devil’s in development details

The security problem has been compounded by the evolving nature of how online applications are developed. In the past, companies built their own applications in their own data centers, where they controlled the servers and other parts of the infrastructure network.

But companies are increasingly relying on remote server farms and other infrastructure hosting companies—such as Amazon Web Services and Cloud Foundry—to host applications and data. “We’re using third-party competence in our applications that we know nothing about,” Prevost says. “And we’re just going faster and faster with this old dev upstream. So it makes it very, very hard.”

Once web applications are developed and hosted on server farms, companies often then turn to traditional means of cybersecurity that focus on outside intrusion, such as firewall and database activity monitoring.

Inherent risks in cloud computing

While such tools are generally effective, the openness of cloud-based web applications makes them vulnerable. Shopping carts on e-commerce websites aren’t going anywhere.

“That’s the avenue now that the bad guys are using to get into the database,” Prevost says.

“I really don’t think that the (intrusion) activity level is ever going to go down, especially given that the ability for someone really anywhere in the world to access your site is so easy and convenient,” he says.

But damage can be limited. Companies with web applications may be better off focusing on protecting areas that are of the highest value instead of pouring resources into trying “to fix everything,” he says.

Accessible protection tools

This calculation is particularly crucial as the pressure on enterprises to code and deploy their web applications quickly heightens. Prevoty’s product allows enterprises to automate the process of adding protections into software codes that the development team should put in the first place, Prevost says.

Developers can access Prevoty’s library and simply clip the protection tool into the code being written. It’s easy enough that someone in the operations team, responsible for actually pushing the application out into the deployment infrastructure, could do the clipping after the software is written.

“What are some mitigations or compensating controls that we can put in place that will make it harder for the bad guys to get our data,” Prevost says. “Find the things that are the most valuable to the organization and put the appropriate levels of controls in place.”

More stories related to web apps:
Corporate use of cloud apps spikes risk of breaches
Mobile apps put personal information at risk
Think twice before allowing apps to access information on your phone

This article also appeared in ThirdCertainty.com