Applications support some of the most strategic business processes and access the most sensitive data. Yet, application security continues to receive less budget and attention than network security.
Thanks to high profile data breaches of the past, we can no longer blame a lack of awareness for the lack of investment; security experts and business leaders now realise hackers are attacking applications.
According to the SANS Institute’s '2015 State of Application Security' survey, the majority of security leaders feel the effectiveness of their application security programmes needs to be improved in order to lower the risk of a successful cyber attack.
> See also: 3 security attributes to look for in a managed services provider
The question is not whether something must be done, but how it should be done. How can organisations reduce application-related security risks whilst still prioritising productivity and managing costs?
A 2014 survey by CompTIA found that managed services are emerging as a solution to the security problem, with nearly half (47%) of businesses using them to address their cyber security needs.
Below you can read more about the top six application security challenges an organisation may face and how managed services can help overcome these:
Hiring and retaining security experts is difficult and costly
Internal security experts looking for new roles are few and far between, with 1 million unfilled IT security jobs worldwide according to Cisco’s 2014 Annual Security Report.
Even if you’re successful in filling the role, the areas of expertise this new employee needs will span multiple domains as software security programmes evolve – authentication, data protection, encryption, testing, design flaws, bugs and client side applications to name a few.
These are just the basics. And that’s a lot to ask of any single expert. Not to mention, the shortage of these positions has caused their salaries to increase dramatically. Organisations will also need to invest in further training to ensure their new expert is up-to-speed – but what happens if they are then lured away to another company?
Vulnerabilities are often inherited
Hackers look for the easiest way into an organisation. Unfortunately, limited internal resources may mean you don’t have the time or tools to identify all paths hackers may take, even when testing regularly.
Hackers will also continue to attack vulnerabilities in code, even if they were written many years ago. When developers reuse code that has long been in circulation, they may inherit its ‘technical debt’ which can include security bugs and flaws.
A testing policy should cover the full company portfolio, investigating existing applications as well as those in development.
Irregular demand requires flexibility
Testing demands are not always consistent. The most common cause of this is an inconsistent pipeline of new applications being developed where most companies no longer follow a fixed-release schedule.
For example, an agile development environment would result in almost continual feature releases with differing levels of technical risk and business impact.
However, an internal application security testing solution is difficult to maintain and not cost-effective; it’s great having staff during busy times but the risk is that skilled employees may then be under utilised during the slow periods.
You need to respond quickly to change
Business evolves. As does technology. Is your security team prepared to respond quickly if new threats come to light that must be investigated and addressed? Or if you enter new markets that have different regulatory requirements?
> See also: How a desk liberation has led to a security nightmare in the legal sector
If demand spikes without a full application security team on hand, you may be scrambling to test and clean code or, worse, deploy patches to software that has already been rolled out.
No single testing tool can catch every vulnerability
Over the past few years, the dynamic and static testing space has become crowded with automated testing tools becoming more sophisticated. Unfortunately, acquiring a testing tool is no guarantee of reducing risk.
It’s important to recognise that each security testing tool has different strengths and by implementing only one or two, you may miss critical issues that increase your risk. Similarly, without the capacity to replicate and confirm findings, you may spend hours chasing false positives.
Tools alone are not enough to keep you safe
Running a standard set of automated scans is not a sufficient method for protecting applications that manage business-critical functions or access sensitive data. You need the expertise to execute in-depth manual testing and interpret the results.
Application security changes constantly. New threats and attacks emerge and regulations ramp up in compliance requirements, meaning your testing and prevention strategies need to stay up to date.
Why managed services?
When you’re struggling to overcome the hurdles of fixed capacity and limited skills, your team can become overburdened and end up being reactive to the latest crisis; this doesn’t leave much time for planning ahead, investing in new skills or completing other projects.
A managed services model can be a lifeline, giving you the flexibility to call in the cavalry when you need it. This team has the experience and skills to make the most of application security tools and can work on multiple tests and projects at the same time.
You no longer need to let capacity or resource challenges dictate your software security policy – external testing partners have access to a myriad of tools and are well versed in the latest compliance requirements.
With the help of managed services, you could let your provider handle all application security testing, while you focus on the higher level management.
Sourced from Jim Ivers, Chief Marketing Officer, Cigital