Scaling Your Application Security Program
By Chris Wysopal, Co-Founder, CTO & CISO, Veracode
We now live in a world where software applications are omnipresent. The world’s largest enterprises are increasingly finding themselves in the software business. It doesn’t matter what their end products are, they are building Web applications, mobile apps and other software for their products and this software is becoming a key interaction point between brands and their customers and partners. According to a recent McKinsey study, it is now widely accepted that innovation isn’t optional, and that utilizing new software technologies is a prerequisite to success in virtually all industries.
We’ve found that the average enterprise is spending around $5 million a year for application security or about 1% of their IT budget. This spend is typically scattered across several departments on a variety of standalone tools, manual processes and expensive consultants. This approach fails to scale, covering only approximately 5 percent of an enterprise’s application infrastructure. With this level of spend, you would expect an organization to have a much higher level of protection.
Because AppSec is complex, enterprises focus solely on the 5 percent of apps that they are obliged to secure in order to comply with industry or government regulations. Also, the problem seems very large. With thousands of web applications and millions of mobile applications joining the application ecosystem, companies need a strategy for addressing all of these apps.
In many cases, enterprises aren’t even aware of all the web, mobile and legacy applications in their application infrastructure. To begin addressing the scalability issue of application security, companies must first understand what their entire application infrastructure looks like. From there, businesses can determine what apps touch sensitive customer or corporate data or share resources with apps that touch critical enterprise data such as their intellectual property. Then determine which of these have vulnerabilities and thus need the next level of protection and then create rules that provide the necessary protection. Creating these rules is the easy part; the challenge is discovering all the apps that are in an environment and finding their vulnerabilities. Many of the companies Veracode speaks to have no idea how many web or mobile applications they have produced.
Another issue enterprises must deal with when scaling an application security programs to meet the demands of a growing application ecosystem, is the use of third party applications or components in their own software, such as outsourced software or open source libraries. In an effort to improve efficiency and get technology to market faster, organizations are relying more and more on third-party applications and components in their own software. What many don’t consider is it does not matter if a hacker exploits a vulnerability in a third party application or a home grown application, the results will be the same, and customers will fail to see the distinction. As such, any enterprise using third party applications or components needs to realize they are increasing the attack surface of their application infrastructure and must identify all the exploitable vulnerabilities within their applications.
To further scale an application security program, organizations need to move from discovery to the next level of security – prevention. This is done by scanning applications at a deeper level to find the vulnerabilities before they are moved to production or a live state. This is a more difficult undertaking and can take longer than the protection phase. However, with this phase complete, an organization can now evolve from covering about 5 percent of their applications to protecting 50 percent or more of their applications.
Scaling well is also not just the absolute number you can get to, but how quickly you can get there. It’s about going further faster. As such, scaling application security requires both automation and human expertise, and it is this balance that so many organizations find difficult. In order to effectively scale application security to cover the ever growing number of applications enterprises own, enterprises must first replace manual efforts with automation whenever possible and where eliminating manual intervention isn’t possible, it needs to be made as efficient as possible.
This can be done by offloading the parts of testing that can be automated to automated solutions Let security experts find obscure vulnerabilities in an application’s business logic or authorization, and then enable machines to find common vulnerabilities such as SQL injection and cross-site scripting. Application security experts are hard to find, so let’s make sure they are being effectively utilized. These are some of the approaches we are taking as we learn how to drive application security testing through huge application portfolios.
By creating a strategy that focuses on expanding the number of applications covered by the application security program, and using more automation, companies can more quickly reduce their risk and better protect their sensitive data without increasing costs.