A growing but often overlooked problem
As the threat landscape continues to evolve, apps are being targeted increasingly often by hackers. Despite this, application security is still considered relatively new when compared with older, more established areas of IT security. As a result, it often doesn’t get the funding and focus that it needs.
Recent threats to both Android and iOS have shown that we can’t ignore the importance of application security any longer. So how can you make sure it moves up the CISO’s agenda? There are plenty of reasons to give application security more attention, and we’ve discussed just a few of them below.
- Application security risks are growing fast
With increasing numbers of users turning to smartphones and the number of apps available also on the rise, cybercriminals are seeing apps as a potentially lucrative source of income.
As a result, the number of mobile malware families and variants are growing. For example, established players such as GM Bot are now being joined by alternative malware families such as KNL Bot, Bilal Bot and Cron Bot. In addition, further strains such as MazarBOT, Acecard and the XcodeGhost vulnerability have been making waves in recent months.
This problem is only going to get worse if application security isn’t addressed as a matter of the highest priority.
- Security professionals are aware of vulnerabilities in apps
To add further weight to the argument that more needs to be done to strengthen application security, a recent survey by the Ponemon Institute has found that almost 80 per cent of enterprises say that their organisation’s portfolio of apps has become more vulnerable to attacks.
What is clear from this is that security professionals are well aware that there are weaknesses in the application security layer, despite a traditional focus on shoring up the network layer. By listening to these concerns more closely, CISOs and other decision makers should see that application security is certainly worthy of closer attention.
- Decision makers often underestimate the severity of the risk
According to the same Ponemon report, 35 per cent of respondents said that their organisations do not perform any major application security testing methods prior to app deployment, which points to a general lack of awareness of just how serious the threat can be.
Hammering home the point about the severity of the risk is essential here: it’s no longer acceptable for businesses to neglect application security in the hope that it won’t become a problem in the future.
- Employees don’t know which applications and databases are active
Surprisingly, there are still large numbers of workers at organisations who are not aware of all of the applications and databases that are currently active. Without knowing what these applications are, it’s fairly self-explanatory that they become harder to protect.
Again, this all boils down to a general lack of awareness of the importance of apps to an organisation. By working to bring application security to the forefront of thinking, businesses stand the best possible chance of remedying this problem.
- Businesses often neglect carrying out regular application security testing
Again, it may sound surprising, but research has shown that a large number of businesses do not conduct regular security testing of their applications, both during the development phase and after it has been released. According to another Ponemon poll, almost 40 per cent of organisations don’t scan the code in their apps for vulnerabilities. In the event of a hacking attempt, cyber criminals will effectively have free rein to wreak havoc.
The sooner businesses realise that keeping tabs on any app vulnerabilities is of utmost importance, the better. App hardening software can be of great use in tackling this issue, by repairing any cracks in an app’s armour.
- Risk management initiatives often focus on operational rather than strategic concerns
At present, many businesses consider the reduction of downtime and business disruption as their top objectives informing their application security strategies. Unfortunately, this often comes at a detriment to more strategic approaches such as attack prevention. This focus is highlighted by VirusTotal’s recent decision to change its access privileges, which experts said could put companies that rely completely on its insight at risk.
With the threat landscape evolving so rapidly, this blacklist approach to security can put a business at serious threat of a data breach through a vulnerable app. By placing more focus on prevention, malware problems can be tackled at their source before they are allowed to snowball.
- Organisations fail to allocate sufficient resources to application security
Ponemon Institute research has shown that 70 per cent of organisations believe that they do not allocate enough resources to ensure their business-critical apps are kept secure. It goes without saying that this makes the chances of sensitive data being compromised through a flawed app more likely.
Combine this with the fact that security professionals are aware of the many vulnerabilities that apps can have, and it immediately becomes clear that this approach needs to change. Resourcing adequately is always a challenge, but if decision makers are aware of how crucial application security is, they will be more likely to focus their efforts on it.
- A lack of confidence in how to effectively deal with a security breach
A lack of awareness amongst decision makers of the risks associated with app security, combined with the subsequent lack of resourcing, has led to many businesses adopting a pessimistic attitude when considering how well they would cope with a security breach.
To change these deep-seated attitudes, organisations need to bring about a change in culture. Once decision makers realise that application security needs to be taken much more seriously, the first steps can be taken to building a more positive outlook for the future of app development.
- Hope for the future
Fortunately, there is reason to believe that the situation will improve as businesses begin to realise the importance of application security. Research by Gartner has demonstrated that the year-on-year spend on application security increased every year between 2010 and 2014. With the threat landscape becoming an ever more dangerous place, it’s a fairly safe bet to predict that this spending will continue its upward trend in the years to come.
In the meantime, organisations need to work towards making staff at all levels more aware of how crucial application security is, as part of a wider cultural change.