SlideShare une entreprise Scribd logo

Application Security

Envision Technology Advisors
Envision Technology Advisors

Enterprises around the world are facing what could be called the most aggressive threat environment in the history of information technology.

1  sur  16
Télécharger pour lire hors ligne
eGuideIn this eGuide Application Security Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Enterprises around the world are facing what could be called the most aggressive threat environment in the history of information technology. Disruptive computing trends are emerging that offer increased employee productivity and business agility, but at the same time introduce a host of new risks and uncertainty. Applications are no exception – the ways that developers create the programs that support the business are always evolving, but security measures to protect these new applications struggle to keep up. When it comes to commercial applications, patching security holes is a must – yet so often these holes are left unplugged and vulnerabilities find their way into the corporate network. In this eGuide, CIO and sister publications CSO and InfoWorld bring you news, opinions, research and advice regarding the risks that enterprises face from lackluster application security, and steps that can be taken to improve IT defenses. Read on to learn more about application security trends and approaches for today’s insecure world. Resources How to Improve Your Application Security Practices The number of serious vulnerabilities in applica- tions are declining, but they are still common. Improving your application security posture requires determin- ing whether you’re a target of opportunity or a target of choice and understanding your development lifecycle Is Application Secu- rity the Glaring Hole in Your Defense? Organizations on average spend one-tenth as much on application security as they do on network security, even though SQL injection attacks are the highest root cause of data breaches. Experts say educating devel- opers in writing secure code is the answer Third-party Apps Ripe Targets for Cybercriminals 86% of all vulnerabilities in 2012 pinned to non- Microsoft apps 3 Questions: Etsy, Ecommerce and Application Security Dinis Cruz on what we do, and don’t, know about web security practices Survey Raises Specter of Massive Enterprise Software Insecurity Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components The Two Steps to Radically Better Security Stop wasting your money and do computer secu- rity right with two common- sense practices Application Security Resources Tips and tools to help make your critical applications more secure Sponsored by
2 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources How to ImproveYour Application Security Practices By Thor Olavsrud • CIO Organizations talk a good game when it comes to security, but many still focus the majority of their security resources on the network rather than their applications--the vector for most data breaches. Many organizations dedicate less than 10 percent of their IT security budget to applica- tion security, according to a study by research firm the Ponemon Institute, released in 2012. The reasons for this gap are multifaceted, says Jere- miah Grossman, founder and CTO of WhiteHat Security, provider of a continuous vulnerability assessment and management service for thousands of Web sites, includ- ing the Web sites of dozens of Fortune 500 companies. First, he says, many security professionals have a blind spot for software. “Most of the security guys out there are not software people,” he says. “They come from an IT background. All they really know how to do is protect the network.” Second, regulatory compliance and the cruft that comes with regulations based on past threats also play a role in Grossman’s view. “Organizations must comply,” he says. “They spend the lion’s share of their budget first on firewalls and antivirus because the compliance regulators mandate it.” Prioritizing Application Security Is a Challenge It is often difficult for the organization to prioritize applica- tion security over revenue-generating development work, he says. Even when organizations identify serious vulner- abilities in their Web sites, it’s not necessarily a simple decision to fix them. “The organization has to fix it themselves,” he says. “The business has to decide: ‘Do we create revenue-gen- erating features this week? If we don’t deliver those fea- How To Improving your application security posture requires determining whether you’re a target of opportunity or a target of choice and understanding your develop- ment lifecycle
3 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources tures on time or at all, we will for a fact lose money. Not fixing the vulnerability may potentially cost the business money.’ They have to make a decision.” Application Vulnerabilities on the Decline Even with these challenges, Grossman says the applica- tion security landscape shows signs of improvement. While 2011 was dubbed the Year of the Breach—based on a mul- titude of high-profile breaches of companies like RSA, Sony, Facebook and Citigroup, not to mention the CIA and FBI— 2011 was also a year in which the average number of seri- ous vulnerabilities in Web sites showed a marked decline. For 12 years, WhiteHat has put together its WhiteHat Security Website Security Statistics Report based on the vulnerabilities it finds in the Web sites it assesses. The 2011 installment, based on the examination of critical vulnerabilities from 7,000 Web sites across major vertical markets, found an average of 79 serious vulnerabilities per Web site, a drastic reduction from the average of 230 it found in 2010 and 1,111 it found in 2007. “These are real-world Web sites,” Grossman says. “I would guarantee that you have accounts and data in many of the sites we test.” Of course, that single statistic doesn’t tell the whole story. While the average came in at 79 serious vulner- abilities, the standard deviation was 670: Some Web sites expose a lot more vulnerabilities than others. Also, according to Netcraft, there are roughly 700 million Web sites on the Internet and tens of millions more are coming online each month. While it’s a large sample, 7,000 Web sites is just a tiny fraction of the whole. Still, WhiteHat’s findings paint a picture of the state of Web site security today; a picture in which Web site security is slowly improving. The banking vertical continued to show its dedication to security: Banking Web sites again pos- sessed the fewest serious vulnerabilities of any industry with an average of 17 serious vulnerabilities per Web site. Bank- ing also had the highest remediation rate of any industry at 74 percent. Every industry, with the notable exceptions of healthcare and insurance, showed improvement from 2010. Additionally, time-to-fix showed vast improvement, dropping to an average of 38 days-much shorter than the average of 116 days in 2010. “The developers know that 38 days is actually a really, really good number because they know how long it does take,” Grossman says. “But to the end users, 38 days is unacceptable.” Steps to Improve Your Security Posture To improve your application security posture and make the best possible use of your IT security budget, Gross- While 2011 was dubbed theYear of the Breach, it was also a year in which the average number of serious vulnerabilities inWeb sites showed a marked decline. Half empty or half full?
4 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources man suggests you first determine whether you are a target of opportunity or a target of choice. Targets of opportu- nity are breached when their security posture is weaker than the average organization in their industry. Targets of choice possess some type of unique and valuable infor- mation, or perhaps a reputation or brand that is particu- larly attractive to a motivated attacker. “On the Web, if you’re doing business of any kind, you’re going to be a target of opportunity,” Grossman says. “Ev- erybody has something worth stealing to a bad guy these days. Other companies are a target of choice because they have something the bad guys want: your credit card numbers or IP or customer lists. This aligns with how se- cure you need to be. No one needs perfect security.” If you determine you’re a target of opportunity, Gross- man says, you need to make sure that you are a little bit more secure than the average business in your category. He notes organizations can use the data in its free White- Hat Security Website Security Statistics Report to bench- mark where they need to be. Targets of choice, on the other hand, need to make themselves as secure as they possibly can and then pre- pare plans for how to react when they are breached so they can minimize the damage as much as possible. Grossman also recommends that organizations hack themselves in an effort to understand how attackers will approach their Web sites. Additionally, he says organiza- tions need to understand their benchmarks: which vulner- abilities are most prevalent in their Web sites, what’s their time-to-fix, their remediation percentage, average window of exposure, etc. If you consistently see vulnerabilities of a particular type, like cross-site scripting or SQL injection, it’s a sign that your developers need education in that issue or your development framework may not be up to snuff. If your time-to-fix is particularly slow, it’s a good bet that you have a procedural issue-your developers aren’t treating vulner- abilities as bugs. If you consistently see vulnerabilities re- opening, it suggests you have a problem with your ‘hot-fix’ process-high-severity vulnerabilities get fixed quickly but the change is back-ported to development and a future software release overwrites the patch. “Understand your software development cycle,” Gross- man says. “Understand where you’re good, where you’re bad and make your adjustments accordingly.” •
5 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources When it comes to security, a large number of organizations have a glaring hole in their defenses: their applications. A recent study of more than 800 IT security and devel- opment professionals reports that most organizations don’t prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploit- ed vulnerable code in Web 2.0/social media applications. Sixty-eight percent of developers’ organizations and 47 percent of security practitioners’ organizations suffered one or more data breaches in the past 24 months due to hacked or compromised applications. A further 19 percent of secu- rity practitioners and 16 percent of developers were uncer- tain if their organization had suffered a data breach due to a compromised or hacked application. Additionally, only 12 percent of security practitioners and 11 percent of develop- ers say all their organizations’ applications meet regulations for privacy, data protection and information security. Despite the data breaches resulting from hacked or compromised applications and the lack of compliance with regulations, 38 percent of security practitioners and 39 percent of developers say less than 10 percent of the IT security budget is dedicated to application security. “We set out to measure the tolerance to risk across the established phases of application security, and de- fine what works and what hasn’t worked, how industries are organizing themselves and what gaps exist,” says Dr. Larry Ponemon, CEO of the Ponemon Institute, the research firm that conducted the study on the behalf of security firm Security Innovation. “We accomplished that, but what we also found was a drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunder- standing of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but Is Application Security the Glaring Hole inYour Defense? Organizations spend one-tenth as much on application security as they do on network security. Experts say educating developers in writing secure code is the answer. By Thor Olavsrud • CIO Market Research
6 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources also not understanding what to do about it.” The study found that security practitioners and develop- ers were far apart in their perception of the issue. While one might expect that security practitioners held the more cynical views with regard to application security, in fact the opposite was true. Dr. Ponemon says 71 percent of developers say application security was not adequately emphasized during the application development lifecycle, compared with 49 percent of security practitioners who felt the same way. Additionally, 46 percent of developers say their organization had no process for ensuring security is built into new applications, while only 21 percent of secu- rity practitioners believed that to be the case. Developers and security practitioners are also divided on the issue of remediating vulnerable code. Nearly half (47 percent) of developers say their organizations have no formal mandate to remediate vulnerable code, while 29 percent of security practitioners say the same. The survey also found that nearly half of developers say there is no collaboration between their development organi- zation and the security organization when it comes to appli- cation security. That’s a stark contrast from the 19 percent of security practitioners that say there is no collaboration. Lack of Collaboration in Application Security “We basically found that developers were much more likely to think there was a lack of collaboration,” Dr. Ponemon says. “The security folks, on the whole, thought the collabo- ration was OK. I think that one of the biggest problems is that the security folks think they’re getting the word out on collaborating or helping, but they’re not doing so effectively.” In other words, Dr. Ponemon says, the security organi- zation writes its security policy and gives it to developers, but the developers, by and large, don’t understand how to implement that policy. The security organizations think they’ve done their job, but they haven’t managed to make their policy contextual for developers. “We find that process has no bearing whatsoever on the ability of an organization to write secure code,” Dr. Ponemon says. “It doesn’t take any longer to write a line of secure code than it does to write a line of insecure code. You just have to know which one to write.” But knowing which line of code to write seems to be a large part of the problem. The study found that only 22 percent of security practitioners and 11 percent of devel- opers say their organization has a fully deployed applica- tion security training program. Fully 36 percent of security practitioners and 37 percent of developers say their organization had no application security training program and no plans to deploy one.• 71 percent of developers say application security was not adequately emphasized during the application development lifecycle;46 percent say their organization had no process for ensuring security was built into new applications;nearly half say there is no collaboration between their development organization and the security organization when it comes to application security. App security : a hot potato
7 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Third-party Apps Ripe Targets for Cybercriminals Third-party apps continue to be juicy targets for byte ban- dits, primarily because the programs are rife with vulnera- bilities, according to a report by Copenhagen-based Secu- nia, a maker of vulnerability solutions. The main threat to end-point security for corporations and individuals is non-Microsoft applications. In fact, the share of vulnerabilities attributed to non-Micro- soft programs has jumped in the last five years, from 57% in 2007 to 86% in 2012, Secunia said. That contrasts sharply with Microsoft’s share of the vulnerability problem -- 5.5% in its operating systems and 8.5% in its software programs. While Microsoft used to be a popular target for Internet riff-raff, that’s no longer the case. “We’ve seen an increase over the past 10 years in the focus of cybercriminals on third-party applications,” William Melby, a senior account executive with Secunia, said in an interview. There’s at least two reasons for that, according to Wes Miller, a research analyst with Directions on Microsoft in Kirk- land, Wash. “They’re pervasive and they’re not as diligent about how they design and patch their software,” he said. “Ironically, Windows was the target for the longest time because it was so ubiquitous and while it’s still ubiquitous, I think the bad guys are looking for lower-hanging fruit now like Reader and Flash and Java and iTunes,” he said. “All those things that are pseudo cross-platform -- at least for Mac and Windows -- become a tempting threat vector.” Microsoft is benefiting from investments it made in writ- ing more secure code over the last decade, according to Stefan Frei, a research director at NSS Labs in Austin, Texas. “Microsoft vulnerabilities dropped drastically from 2011 to 2012,” he said. “That’s made successful exploitation of Mi- crosoft’s programs much, much harder.” While attention was focused on bolstering the security of Microsoft’s products, little pressure has been exerted on third-party vendors to clean up their acts, he said. “When cybercriminals suddenly shifted their interest to third-party programs, those software makers were caught with their pants down.” Not only has Microsoft improved the quality of its software code, all of its products can be updated through a single process, Melby explained. “Third-party updates are more complicated,” he said. “You might have to reach out to 30 or 40 vendors to get updates.” Secunia researchers discovered more than 2,500 pro- By John P. Mello Jr. • CSO Market Research 86% of all vulnerabilities in 2012 pinned to non-Microsoft apps
8 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources grams with more than 9,700 vulnerabilities in 2012, an average of four per product. And while software makers ap- pear to have been keeping pace with the vulnerabilities as they’re found -- 84% of the vulnerabilities had fixes for them on the day they were revealed -- the patches aren’t being applied in a timely way. Traditionally, the focus of IT departments has been to keep Microsoft’s software up to date and let third-party patches slide, Melby explained. “It’s not good enough to just to patch Microsoft applications anymore -- not with the number of vulnerable third party applications running on any given system,” he said.• “When cybercriminals suddenly shifted their interest to third-party programs, those software makers were caught with their pants down.” — Stefan Frei,research director,NSS Labs Pants-on-the-ground apps
9 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources 3 Questions: Etsy,Ecommerce and Application Security ‘Add to cart’. ‘Click to buy’. —What could be simpler? Well, web commerce may be simple indeed, but whether it’s secure is another question. CSO asked Dinis Cruz for some quick insights into the state of application and ecommerce security online. Cruz is leader of the Open Web Application Security Project (OWASP) O2 platform project and principal security en- gineer at Security Innovation, which provides curriculum, training and services around application security. CSO: What are the big issues with application security? Cruz: One of the biggest challenges we have from a security point of view is that most development is broken from a process point of view. A lot of companies struggle just to have a development life cycle, let alone injecting security into it. It’s code security really. Mobile apps have the same issues. They live in a bit more of a controlled environment. CSO: You’ve blogged about Etsy, the social e-commerce company, and what you (as an outside observer) think it gets right with its application security. What do you like about Etsy’s app security? Cruz: First, I am not involved with them at all. If you look at their blog, at their presentations, they are introducing a lot of visibility into what’s happening with the application. They have a system that’s so slick and mature that they can blog about it. That speaks volumes about what happens behind the scenes. [Edi- tor’s note: Etsy declined to speak to CSO about their security practices.] They show how you add value by giving (developers) visibility metrics—how it works, how it fits together, and the other changes that happen when you make a change. I like their focus on ‘If you have to fix security, you have to fix development.’ They really have a very good view of how security can add value to development. They make it so developers don’t view security like a tax, a pain point you have to go through. If you can make security add value, then developers want to engage with it. Q&A By Michael Fitzgerald • CSO Dinis Cruz on what we do, and don’t, know about web security practices
10 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources CSO: Are you concerned about the state of app security? Is it improving? Cruz: It’s a disaster with a capital D. The good news is we don’t have more attackers with very strong business mod- els. And, the industry is finally starting to pay attention, and doing a much better job of how to develop applications, instead of waiting to get attacked spectacularly. Etsy stands out. They are not the norm. What’s interesting is, [what they’re doing] should be normal. If you go to any other industry—well, look at the horsemeat in the food chain story that’s happening now. They’re now talking about evaluating [products labeled as] beef and making sure they know what’s in there. They should do that for software. We build all these applications and frameworks, and very few people understand them. We buy all these products without pragmatic information about how secure they are. Etsy’s probably best-in-class, but the information we have is very fuzzy. We have information from a blog. It’s non-verifiable, not independently auditable. We’re relying on them to do the right thing and they seem to be, but we don’t know. And they’re one of the best. If that were food you were buying, you wouldn’t accept that.• “The state of app security is a disaster with a capital D.” — Dinis Cruz,OpenWeb Application Security Project lead, principal security engineer,Security Innovation Blunt with a captal‘B’
11 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Survey Raises Specter of Massive Enterprise Software Insecurity You’re studiously virus checking your desktop systems, and all your server applications are running on platforms that are regularly updated. But what about the applica- tions themselves -- are they secure? Sonatype recently released results of the annual Open Source Software Development Survey, which looks at the extent to which developers use open source components, with a particular focus on how they balance the compet- ing needs of speed and security. Sonatype surveyed 3,500 people from more than 50 countries -- more than 85 per- cent of them developers -- to understand their approaches to assembling software. The results show the massive ex- tent to which developers now rely on components: At least 80 percent of a typical Java application is now assembled from open source components and frameworks. This has been the case for many years, but the full matu- ration of the concept of component assembly rather than writing code from scratch is well illustrated -- albeit with a focus mainly on Java components. The popularity of tools like Node Package Manager (npm), CPAN, and more re- cently PHP Composer suggests Sonatype’s findings prob- ably reflect a general trend independent of the language used. Ask any employable developer and they will tell you: Components are the way things get built. However, this raises new issues. Sonatype has deter- mined that developers are not keeping up to date with security issues. The survey reports that 71 percent of the applications being built using components from its service use at least one component version with known security issues and for which updated versions exist with those is- sues addressed. In 2012, 46 million insecure versions of components were downloaded. Security used to be a mat- ter of keeping your off-the-shelf or LAMP-stack software up to date and fully patched, but that’s not a safe assumption any more. I asked Sonatype CEO Wayne Jackson if there was any evidence of an increase in the number of critical security issues at CERT -- known as CVEs -- that arise from com- ponent exploits rather than exploits on finished software. By InfoWorld Tech Watch Market Research Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components
12 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources He investigated and found that there were. While in 2006 there were just eight CVEs that identified a component as the source of the risk, by 2012 that number had risen to 50. Today, if you want to keep your company secure it’s not enough to just keep your platforms up to date. You also need a policy that keeps your applications secure. It’s also possible this problem is more distinct with Maven than with other component repositories, since Maven fixes the version number in the POM rather than offering version ranges. Certainly JavaScript programmers using npm and PHP programmers using PHP Composer are able to specify that use of subsequent minor versions that don’t break API compatibility is acceptable, and update their software with a simple command. But this isn’t just an open source is- sue or even just a Java issue; it’s probable that proprietary components purchased from closed-source suppliers are affected just as much. Naturally Sonatype has a product to help with the prob- lem, but the root cause is that most of us simply haven’t realized how far developer choice of components has come to dominate our systems. A black hat hacker can use an exploit on a component as a gateway to systems, and ap- plications in the enterprise that use that component may never get updated to close the exposure and kill the exploit. The survey found that only 38 percent of the organizations surveyed have the controls needed to maintain inventories of the components in use by their applications and ensure security updates happen. Cyber security is on the national political agenda, but do we really understand what it takes to be secure? Now that enterprise development has become component based, rather than using custom code running on off-the-shelf plat- forms, it’s time for enterprise development to wake up and smell the black hats. They’re targeting your components, not just your servers. • 60 45 30 15 0 2002 2004 2006 2008 2010 20122003 2005 2007 2009 2011 Component-originated CVEs per year 2002-2012
13 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Two Steps to Radically Better Security Here’s a shocking fact I’ve learned from 25-plus years of security consulting: Most security projects fail to improve the safety of the organizations launching them. Security will be compromised as frequently after the project as before. To put it bluntly, most computer security projects are a waste of time and money. One reason for this dysfunction is that organizations launch way too many projects with woefully unrealistic expectations about their impact and the level of effort re- quired to do them right. The fact is if all companies did a better job at just two defenses, their companies would be far better protected than if they were to complete the dozen-odd projects they’re attempting to pull off. In many cases, the two defenses I recommend are in- expensive or even free. They don’t require multi-million- dollar projects dragged out for more than a year. They don’t demand cutting-edge solutions. They simply require that organizations do a better job at two things they’ve been told to do for decades. And guess what? They work. Stop users from executing malicious programs Most computers are compromised because users launch malicious programs. It’s that simple. That’s why applica- tion control is the single best thing you can do to im- prove computer security in your company. The classic example is the fake virus alert, which prompts the user to install antivirus software that’s actu- ally malware. But of course this ploy extends to other “apps” purporting some benefit, from games to Windows utilities that are actually malware or spyware. The classic email attachment ruse still finds suckers who blithely double-click on malware pretending to be everything from an invoice to a video of the Zumba lady. Serious, mandatory training for end-users helps a lot, but you can never prevent all users from launching this stuff all the time. The most secure way to stop users from executing malicious programs is to deploy an application control or whitelisting program. I’ve talked a lot about the benefits of application control programs and even did a comparative review a few years ago. I’ve worked with most of them, and they’ve all improved over time. Yet in many cases senior management will not back strict application control. I understand that. I know the challenges -- particularly with the abundance of new downloadable apps, particularly mobile ones, which carry real user productivity benefits. But understand that not implementing strict application control means you will not be able to reduce malicious risk in your environ- By Roger A. Grimes • InfoWorld Expert Advice Stop wasting your money and do computer security right with two common-sense practices
14 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources ment beyond a certain point. A less stringent approach is to enable users to down- load and install programs only from trusted application stores that ensure the security of their applications. Programs from trusted stores are sometimes found to be vulnerable to hacking or to have privacy issues. By and large, those are the exceptions; when caught, they are immediately removed and eradicated. Plus, most apps downloaded from application stores are automati- cally updated when security issues are discovered and patched. That’s great for everyone. A corollary to controlling what can be installed is restricting who can install it. To prevent the easy in- stallation of programs that have not been reviewed or approved, don’t let anyone run with elevated privileges or permissions most of the time. You can do this using manual processes, privilege identity management (PIM) products, Microsoft’s User Account Control (UAC), Unix/ Linux’s sudoers functionality, or any other method or product that accomplishes the same goal. The dirty little secret is that removing elevated privi- leges still won’t seal off your defenses. Lots of mali- cious programs can run or be installed without elevated security privileges. Malicious programs can accomplish nearly every wanted outcome without the user logged in as Administrator or root. They can steal passwords and identities, as well as redirect browsers to places the user didn’t intend to go. Nonetheless, you can reduce risk somewhat if users have fewer privileged accounts while reading email or surfing the Web. Lastly, don’t neglect end-user education. After ap- plication control, it’s the best way to prevent unwanted programs from being installed -- when it’s done right. Most end-user education misses obvious points and refers to outdated threats. Get the backing of manage- ment, conduct mandatory sessions on a regular basis, and ensure your instruction is current and specific to your organization. When users know what their own antimalware software looks like, they’re much less likely to fall for the fake stuff. Patch everything faster The other best defense is to patch all software in a timely way. This has been a mantra for more than two decades now, which is why it’s so surprising that so few companies patch as quickly as they should. Yes, they’re doing better at patching operating systems, but they do a horrible job at patching the most popular Internet add-on products, like Oracle Java or Adobe Acrobat, both of which have been ranked as the most exploited products for years. A corollary to controlling what can be installed is restricting who can install it.To prevent the easy installation of programs that have not been reviewed or approved, don’t let anyone run with elevated privileges or permissions most of the time. Under your thumb
15 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Websense recently collected data that showed 74 percent of active computers were still susceptible to Java exploits from 2012. No less than 94 percent were sus- ceptible to the latest patched Java exploit. My personal experience completely backs up these points. I rarely find a patched Java installation. I find unpatched Java on workstations and servers that have no need for Java. This same unpatched Java allows your company to be silently infected over and over. Your company cannot plausibly claim it cares about the security of its data if it fails to patch the most exploited program of the day. I understand the frustrations and chal- lenges of better patching. I understand that we computer security people would patch things better and faster if it was left up to us. But simply not doing this one thing better means you’ll never be free of easy computer compromise. The hackers will always enter your company’s boundaries and steal data and passwords at will. You cannot stop them. Of course it takes more than two computer defenses to make a complete defense. You still face password-cracking hackers, SQL injections, XSS browser attacks, misconfigu- ration exploits, zero-day vulnerabilities, and so on. But all of those attack types, in aggregate, don’t hold a candle to the main two problems. Solve them and you’ll be a hero.•
16 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Application Security Resources Tips and tools The focus of this study is to quantify the economic impact of cyber attacks and observe cost trends over time. The loss or misuse of information is the most significant consequence of a cyber attack, and it comes at significant financial cost. Download >> The rapid transformation of mobile computing has seen security concerns outpaced by the ease of use, flexibility, and productivity of mobile devices. Here we take a look at three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk. Download >> Forward-thinking enterprises realize they need to focus on a sustainable approach to security and risk management—one that is designed to ad- dress the new wave of vulnerabilities that prevail due to increasing trends in IT consumerization, mobility, social media, cloud computing, and cyber crime. Download >> The multitude of devices, users, and generated traffic combine to create a proliferation of data that is being created with incredible volume, velocity, and variety. As a result, organizations need a way to protect, utilize, and gain real-time insight from “big data.” So, how do you get started? Download >> 2012 Cost of Cyber Crime Study:United States Know the BigThreeRethinkingYour Enterprise Security: Critical Priorities to Consider Big Security for Big Data In the HP 2012 Cyber Risk Report, HP Enterprise Security provides a broad view of the vulnerability landscape, ranging from industry-wide data down to a focused look at different technologies, including web and mobile. Download >> 2012 HP Cyber Risk Report

Recommandé

Website Security
Website SecurityWebsite Security
Website Securityipower softwares
 
Cathedralite June1981
Cathedralite June1981Cathedralite June1981
Cathedralite June1981Mitch Darrow
 
Security & ethical challenges
Security & ethical challengesSecurity & ethical challenges
Security & ethical challengesLouie Medinaceli
 
Security And Ethical Challenges Of Infornation Technology
Security And Ethical Challenges Of Infornation TechnologySecurity And Ethical Challenges Of Infornation Technology
Security And Ethical Challenges Of Infornation Technologyparamalways
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?InterQuest Group
 
How to Migrate Without Downtime
How to Migrate Without DowntimeHow to Migrate Without Downtime
How to Migrate Without DowntimeEnvision Technology Advisors
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
The Ultimate Guide To Business Continuity
The Ultimate Guide To Business ContinuityThe Ultimate Guide To Business Continuity
The Ultimate Guide To Business ContinuityEnvision Technology Advisors
 

Recommandé

Website Security
Website SecurityWebsite Security
Website Securityipower softwares
 
Cathedralite June1981
Cathedralite June1981Cathedralite June1981
Cathedralite June1981Mitch Darrow
 
Security & ethical challenges
Security & ethical challengesSecurity & ethical challenges
Security & ethical challengesLouie Medinaceli
 
Security And Ethical Challenges Of Infornation Technology
Security And Ethical Challenges Of Infornation TechnologySecurity And Ethical Challenges Of Infornation Technology
Security And Ethical Challenges Of Infornation Technologyparamalways
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?InterQuest Group
 
How to Migrate Without Downtime
How to Migrate Without DowntimeHow to Migrate Without Downtime
How to Migrate Without DowntimeEnvision Technology Advisors
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
The Ultimate Guide To Business Continuity
The Ultimate Guide To Business ContinuityThe Ultimate Guide To Business Continuity
The Ultimate Guide To Business ContinuityEnvision Technology Advisors
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber ThreatsEnvision Technology Advisors
 
Cloud Based Email
Cloud Based EmailCloud Based Email
Cloud Based EmailEnvision Technology Advisors
 
Survivors Guide To The Cloud
Survivors Guide To The CloudSurvivors Guide To The Cloud
Survivors Guide To The CloudEnvision Technology Advisors
 
Ten Myths About Deleted Files
Ten Myths About Deleted FilesTen Myths About Deleted Files
Ten Myths About Deleted FilesEnvision Technology Advisors
 
Disaster Recovery - Deep Dive
Disaster Recovery - Deep DiveDisaster Recovery - Deep Dive
Disaster Recovery - Deep DiveEnvision Technology Advisors
 
The State of Global Markets 2013
The State of Global Markets 2013The State of Global Markets 2013
The State of Global Markets 2013Envision Technology Advisors
 
Ten Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesTen Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesEnvision Technology Advisors
 
Detecting Stopping Advanced Attacks
Detecting Stopping Advanced AttacksDetecting Stopping Advanced Attacks
Detecting Stopping Advanced AttacksEnvision Technology Advisors
 
8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenter8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenterEnvision Technology Advisors
 
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Envision Technology Advisors
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security PlanEnvision Technology Advisors
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITEnvision Technology Advisors
 
Cloud or Onsite BDR?
Cloud or Onsite BDR?Cloud or Onsite BDR?
Cloud or Onsite BDR?Envision Technology Advisors
 
Forrester Emerging MSSP Wave
Forrester Emerging MSSP WaveForrester Emerging MSSP Wave
Forrester Emerging MSSP WaveEnvision Technology Advisors
 
RetroFit's Network Monitoring Solution
RetroFit's Network Monitoring SolutionRetroFit's Network Monitoring Solution
RetroFit's Network Monitoring SolutionEnvision Technology Advisors
 
Network Latency
Network LatencyNetwork Latency
Network LatencyEnvision Technology Advisors
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat ReportEnvision Technology Advisors
 
Termination of Windows XP
Termination of Windows XPTermination of Windows XP
Termination of Windows XPEnvision Technology Advisors
 
WhenThe Going Gets Tough
WhenThe Going Gets ToughWhenThe Going Gets Tough
WhenThe Going Gets ToughEnvision Technology Advisors
 
As A Man-Thinketh
As A Man-ThinkethAs A Man-Thinketh
As A Man-ThinkethEnvision Technology Advisors
 

Contenu connexe

Plus de Envision Technology Advisors

Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Envision Technology Advisors
 

Plus de Envision Technology Advisors (20)

Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
 
Cloud Based Email
Cloud Based EmailCloud Based Email
Cloud Based Email
 
Survivors Guide To The Cloud
Survivors Guide To The CloudSurvivors Guide To The Cloud
Survivors Guide To The Cloud
 
Ten Myths About Deleted Files
Ten Myths About Deleted FilesTen Myths About Deleted Files
Ten Myths About Deleted Files
 
Disaster Recovery - Deep Dive
Disaster Recovery - Deep DiveDisaster Recovery - Deep Dive
Disaster Recovery - Deep Dive
 
The State of Global Markets 2013
The State of Global Markets 2013The State of Global Markets 2013
The State of Global Markets 2013
 
Ten Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesTen Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted Files
 
Detecting Stopping Advanced Attacks
Detecting Stopping Advanced AttacksDetecting Stopping Advanced Attacks
Detecting Stopping Advanced Attacks
 
8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenter8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenter
 
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Cloud or Onsite BDR?
Cloud or Onsite BDR?Cloud or Onsite BDR?
Cloud or Onsite BDR?
 
Forrester Emerging MSSP Wave
Forrester Emerging MSSP WaveForrester Emerging MSSP Wave
Forrester Emerging MSSP Wave
 
RetroFit's Network Monitoring Solution
RetroFit's Network Monitoring SolutionRetroFit's Network Monitoring Solution
RetroFit's Network Monitoring Solution
 
Network Latency
Network LatencyNetwork Latency
Network Latency
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
 
Termination of Windows XP
Termination of Windows XPTermination of Windows XP
Termination of Windows XP
 
WhenThe Going Gets Tough
WhenThe Going Gets ToughWhenThe Going Gets Tough
WhenThe Going Gets Tough
 
As A Man-Thinketh
As A Man-ThinkethAs A Man-Thinketh
As A Man-Thinketh
 

Application Security

  • 1. eGuideIn this eGuide Application Security Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Enterprises around the world are facing what could be called the most aggressive threat environment in the history of information technology. Disruptive computing trends are emerging that offer increased employee productivity and business agility, but at the same time introduce a host of new risks and uncertainty. Applications are no exception – the ways that developers create the programs that support the business are always evolving, but security measures to protect these new applications struggle to keep up. When it comes to commercial applications, patching security holes is a must – yet so often these holes are left unplugged and vulnerabilities find their way into the corporate network. In this eGuide, CIO and sister publications CSO and InfoWorld bring you news, opinions, research and advice regarding the risks that enterprises face from lackluster application security, and steps that can be taken to improve IT defenses. Read on to learn more about application security trends and approaches for today’s insecure world. Resources How to Improve Your Application Security Practices The number of serious vulnerabilities in applica- tions are declining, but they are still common. Improving your application security posture requires determin- ing whether you’re a target of opportunity or a target of choice and understanding your development lifecycle Is Application Secu- rity the Glaring Hole in Your Defense? Organizations on average spend one-tenth as much on application security as they do on network security, even though SQL injection attacks are the highest root cause of data breaches. Experts say educating devel- opers in writing secure code is the answer Third-party Apps Ripe Targets for Cybercriminals 86% of all vulnerabilities in 2012 pinned to non- Microsoft apps 3 Questions: Etsy, Ecommerce and Application Security Dinis Cruz on what we do, and don’t, know about web security practices Survey Raises Specter of Massive Enterprise Software Insecurity Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components The Two Steps to Radically Better Security Stop wasting your money and do computer secu- rity right with two common- sense practices Application Security Resources Tips and tools to help make your critical applications more secure Sponsored by
  • 2. 2 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources How to ImproveYour Application Security Practices By Thor Olavsrud • CIO Organizations talk a good game when it comes to security, but many still focus the majority of their security resources on the network rather than their applications--the vector for most data breaches. Many organizations dedicate less than 10 percent of their IT security budget to applica- tion security, according to a study by research firm the Ponemon Institute, released in 2012. The reasons for this gap are multifaceted, says Jere- miah Grossman, founder and CTO of WhiteHat Security, provider of a continuous vulnerability assessment and management service for thousands of Web sites, includ- ing the Web sites of dozens of Fortune 500 companies. First, he says, many security professionals have a blind spot for software. “Most of the security guys out there are not software people,” he says. “They come from an IT background. All they really know how to do is protect the network.” Second, regulatory compliance and the cruft that comes with regulations based on past threats also play a role in Grossman’s view. “Organizations must comply,” he says. “They spend the lion’s share of their budget first on firewalls and antivirus because the compliance regulators mandate it.” Prioritizing Application Security Is a Challenge It is often difficult for the organization to prioritize applica- tion security over revenue-generating development work, he says. Even when organizations identify serious vulner- abilities in their Web sites, it’s not necessarily a simple decision to fix them. “The organization has to fix it themselves,” he says. “The business has to decide: ‘Do we create revenue-gen- erating features this week? If we don’t deliver those fea- How To Improving your application security posture requires determining whether you’re a target of opportunity or a target of choice and understanding your develop- ment lifecycle
  • 3. 3 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources tures on time or at all, we will for a fact lose money. Not fixing the vulnerability may potentially cost the business money.’ They have to make a decision.” Application Vulnerabilities on the Decline Even with these challenges, Grossman says the applica- tion security landscape shows signs of improvement. While 2011 was dubbed the Year of the Breach—based on a mul- titude of high-profile breaches of companies like RSA, Sony, Facebook and Citigroup, not to mention the CIA and FBI— 2011 was also a year in which the average number of seri- ous vulnerabilities in Web sites showed a marked decline. For 12 years, WhiteHat has put together its WhiteHat Security Website Security Statistics Report based on the vulnerabilities it finds in the Web sites it assesses. The 2011 installment, based on the examination of critical vulnerabilities from 7,000 Web sites across major vertical markets, found an average of 79 serious vulnerabilities per Web site, a drastic reduction from the average of 230 it found in 2010 and 1,111 it found in 2007. “These are real-world Web sites,” Grossman says. “I would guarantee that you have accounts and data in many of the sites we test.” Of course, that single statistic doesn’t tell the whole story. While the average came in at 79 serious vulner- abilities, the standard deviation was 670: Some Web sites expose a lot more vulnerabilities than others. Also, according to Netcraft, there are roughly 700 million Web sites on the Internet and tens of millions more are coming online each month. While it’s a large sample, 7,000 Web sites is just a tiny fraction of the whole. Still, WhiteHat’s findings paint a picture of the state of Web site security today; a picture in which Web site security is slowly improving. The banking vertical continued to show its dedication to security: Banking Web sites again pos- sessed the fewest serious vulnerabilities of any industry with an average of 17 serious vulnerabilities per Web site. Bank- ing also had the highest remediation rate of any industry at 74 percent. Every industry, with the notable exceptions of healthcare and insurance, showed improvement from 2010. Additionally, time-to-fix showed vast improvement, dropping to an average of 38 days-much shorter than the average of 116 days in 2010. “The developers know that 38 days is actually a really, really good number because they know how long it does take,” Grossman says. “But to the end users, 38 days is unacceptable.” Steps to Improve Your Security Posture To improve your application security posture and make the best possible use of your IT security budget, Gross- While 2011 was dubbed theYear of the Breach, it was also a year in which the average number of serious vulnerabilities inWeb sites showed a marked decline. Half empty or half full?
  • 4. 4 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources man suggests you first determine whether you are a target of opportunity or a target of choice. Targets of opportu- nity are breached when their security posture is weaker than the average organization in their industry. Targets of choice possess some type of unique and valuable infor- mation, or perhaps a reputation or brand that is particu- larly attractive to a motivated attacker. “On the Web, if you’re doing business of any kind, you’re going to be a target of opportunity,” Grossman says. “Ev- erybody has something worth stealing to a bad guy these days. Other companies are a target of choice because they have something the bad guys want: your credit card numbers or IP or customer lists. This aligns with how se- cure you need to be. No one needs perfect security.” If you determine you’re a target of opportunity, Gross- man says, you need to make sure that you are a little bit more secure than the average business in your category. He notes organizations can use the data in its free White- Hat Security Website Security Statistics Report to bench- mark where they need to be. Targets of choice, on the other hand, need to make themselves as secure as they possibly can and then pre- pare plans for how to react when they are breached so they can minimize the damage as much as possible. Grossman also recommends that organizations hack themselves in an effort to understand how attackers will approach their Web sites. Additionally, he says organiza- tions need to understand their benchmarks: which vulner- abilities are most prevalent in their Web sites, what’s their time-to-fix, their remediation percentage, average window of exposure, etc. If you consistently see vulnerabilities of a particular type, like cross-site scripting or SQL injection, it’s a sign that your developers need education in that issue or your development framework may not be up to snuff. If your time-to-fix is particularly slow, it’s a good bet that you have a procedural issue-your developers aren’t treating vulner- abilities as bugs. If you consistently see vulnerabilities re- opening, it suggests you have a problem with your ‘hot-fix’ process-high-severity vulnerabilities get fixed quickly but the change is back-ported to development and a future software release overwrites the patch. “Understand your software development cycle,” Gross- man says. “Understand where you’re good, where you’re bad and make your adjustments accordingly.” •
  • 5. 5 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources When it comes to security, a large number of organizations have a glaring hole in their defenses: their applications. A recent study of more than 800 IT security and devel- opment professionals reports that most organizations don’t prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploit- ed vulnerable code in Web 2.0/social media applications. Sixty-eight percent of developers’ organizations and 47 percent of security practitioners’ organizations suffered one or more data breaches in the past 24 months due to hacked or compromised applications. A further 19 percent of secu- rity practitioners and 16 percent of developers were uncer- tain if their organization had suffered a data breach due to a compromised or hacked application. Additionally, only 12 percent of security practitioners and 11 percent of develop- ers say all their organizations’ applications meet regulations for privacy, data protection and information security. Despite the data breaches resulting from hacked or compromised applications and the lack of compliance with regulations, 38 percent of security practitioners and 39 percent of developers say less than 10 percent of the IT security budget is dedicated to application security. “We set out to measure the tolerance to risk across the established phases of application security, and de- fine what works and what hasn’t worked, how industries are organizing themselves and what gaps exist,” says Dr. Larry Ponemon, CEO of the Ponemon Institute, the research firm that conducted the study on the behalf of security firm Security Innovation. “We accomplished that, but what we also found was a drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunder- standing of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but Is Application Security the Glaring Hole inYour Defense? Organizations spend one-tenth as much on application security as they do on network security. Experts say educating developers in writing secure code is the answer. By Thor Olavsrud • CIO Market Research
  • 6. 6 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources also not understanding what to do about it.” The study found that security practitioners and develop- ers were far apart in their perception of the issue. While one might expect that security practitioners held the more cynical views with regard to application security, in fact the opposite was true. Dr. Ponemon says 71 percent of developers say application security was not adequately emphasized during the application development lifecycle, compared with 49 percent of security practitioners who felt the same way. Additionally, 46 percent of developers say their organization had no process for ensuring security is built into new applications, while only 21 percent of secu- rity practitioners believed that to be the case. Developers and security practitioners are also divided on the issue of remediating vulnerable code. Nearly half (47 percent) of developers say their organizations have no formal mandate to remediate vulnerable code, while 29 percent of security practitioners say the same. The survey also found that nearly half of developers say there is no collaboration between their development organi- zation and the security organization when it comes to appli- cation security. That’s a stark contrast from the 19 percent of security practitioners that say there is no collaboration. Lack of Collaboration in Application Security “We basically found that developers were much more likely to think there was a lack of collaboration,” Dr. Ponemon says. “The security folks, on the whole, thought the collabo- ration was OK. I think that one of the biggest problems is that the security folks think they’re getting the word out on collaborating or helping, but they’re not doing so effectively.” In other words, Dr. Ponemon says, the security organi- zation writes its security policy and gives it to developers, but the developers, by and large, don’t understand how to implement that policy. The security organizations think they’ve done their job, but they haven’t managed to make their policy contextual for developers. “We find that process has no bearing whatsoever on the ability of an organization to write secure code,” Dr. Ponemon says. “It doesn’t take any longer to write a line of secure code than it does to write a line of insecure code. You just have to know which one to write.” But knowing which line of code to write seems to be a large part of the problem. The study found that only 22 percent of security practitioners and 11 percent of devel- opers say their organization has a fully deployed applica- tion security training program. Fully 36 percent of security practitioners and 37 percent of developers say their organization had no application security training program and no plans to deploy one.• 71 percent of developers say application security was not adequately emphasized during the application development lifecycle;46 percent say their organization had no process for ensuring security was built into new applications;nearly half say there is no collaboration between their development organization and the security organization when it comes to application security. App security : a hot potato
  • 7. 7 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Third-party Apps Ripe Targets for Cybercriminals Third-party apps continue to be juicy targets for byte ban- dits, primarily because the programs are rife with vulnera- bilities, according to a report by Copenhagen-based Secu- nia, a maker of vulnerability solutions. The main threat to end-point security for corporations and individuals is non-Microsoft applications. In fact, the share of vulnerabilities attributed to non-Micro- soft programs has jumped in the last five years, from 57% in 2007 to 86% in 2012, Secunia said. That contrasts sharply with Microsoft’s share of the vulnerability problem -- 5.5% in its operating systems and 8.5% in its software programs. While Microsoft used to be a popular target for Internet riff-raff, that’s no longer the case. “We’ve seen an increase over the past 10 years in the focus of cybercriminals on third-party applications,” William Melby, a senior account executive with Secunia, said in an interview. There’s at least two reasons for that, according to Wes Miller, a research analyst with Directions on Microsoft in Kirk- land, Wash. “They’re pervasive and they’re not as diligent about how they design and patch their software,” he said. “Ironically, Windows was the target for the longest time because it was so ubiquitous and while it’s still ubiquitous, I think the bad guys are looking for lower-hanging fruit now like Reader and Flash and Java and iTunes,” he said. “All those things that are pseudo cross-platform -- at least for Mac and Windows -- become a tempting threat vector.” Microsoft is benefiting from investments it made in writ- ing more secure code over the last decade, according to Stefan Frei, a research director at NSS Labs in Austin, Texas. “Microsoft vulnerabilities dropped drastically from 2011 to 2012,” he said. “That’s made successful exploitation of Mi- crosoft’s programs much, much harder.” While attention was focused on bolstering the security of Microsoft’s products, little pressure has been exerted on third-party vendors to clean up their acts, he said. “When cybercriminals suddenly shifted their interest to third-party programs, those software makers were caught with their pants down.” Not only has Microsoft improved the quality of its software code, all of its products can be updated through a single process, Melby explained. “Third-party updates are more complicated,” he said. “You might have to reach out to 30 or 40 vendors to get updates.” Secunia researchers discovered more than 2,500 pro- By John P. Mello Jr. • CSO Market Research 86% of all vulnerabilities in 2012 pinned to non-Microsoft apps
  • 8. 8 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources grams with more than 9,700 vulnerabilities in 2012, an average of four per product. And while software makers ap- pear to have been keeping pace with the vulnerabilities as they’re found -- 84% of the vulnerabilities had fixes for them on the day they were revealed -- the patches aren’t being applied in a timely way. Traditionally, the focus of IT departments has been to keep Microsoft’s software up to date and let third-party patches slide, Melby explained. “It’s not good enough to just to patch Microsoft applications anymore -- not with the number of vulnerable third party applications running on any given system,” he said.• “When cybercriminals suddenly shifted their interest to third-party programs, those software makers were caught with their pants down.” — Stefan Frei,research director,NSS Labs Pants-on-the-ground apps
  • 9. 9 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources 3 Questions: Etsy,Ecommerce and Application Security ‘Add to cart’. ‘Click to buy’. —What could be simpler? Well, web commerce may be simple indeed, but whether it’s secure is another question. CSO asked Dinis Cruz for some quick insights into the state of application and ecommerce security online. Cruz is leader of the Open Web Application Security Project (OWASP) O2 platform project and principal security en- gineer at Security Innovation, which provides curriculum, training and services around application security. CSO: What are the big issues with application security? Cruz: One of the biggest challenges we have from a security point of view is that most development is broken from a process point of view. A lot of companies struggle just to have a development life cycle, let alone injecting security into it. It’s code security really. Mobile apps have the same issues. They live in a bit more of a controlled environment. CSO: You’ve blogged about Etsy, the social e-commerce company, and what you (as an outside observer) think it gets right with its application security. What do you like about Etsy’s app security? Cruz: First, I am not involved with them at all. If you look at their blog, at their presentations, they are introducing a lot of visibility into what’s happening with the application. They have a system that’s so slick and mature that they can blog about it. That speaks volumes about what happens behind the scenes. [Edi- tor’s note: Etsy declined to speak to CSO about their security practices.] They show how you add value by giving (developers) visibility metrics—how it works, how it fits together, and the other changes that happen when you make a change. I like their focus on ‘If you have to fix security, you have to fix development.’ They really have a very good view of how security can add value to development. They make it so developers don’t view security like a tax, a pain point you have to go through. If you can make security add value, then developers want to engage with it. Q&A By Michael Fitzgerald • CSO Dinis Cruz on what we do, and don’t, know about web security practices
  • 10. 10 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources CSO: Are you concerned about the state of app security? Is it improving? Cruz: It’s a disaster with a capital D. The good news is we don’t have more attackers with very strong business mod- els. And, the industry is finally starting to pay attention, and doing a much better job of how to develop applications, instead of waiting to get attacked spectacularly. Etsy stands out. They are not the norm. What’s interesting is, [what they’re doing] should be normal. If you go to any other industry—well, look at the horsemeat in the food chain story that’s happening now. They’re now talking about evaluating [products labeled as] beef and making sure they know what’s in there. They should do that for software. We build all these applications and frameworks, and very few people understand them. We buy all these products without pragmatic information about how secure they are. Etsy’s probably best-in-class, but the information we have is very fuzzy. We have information from a blog. It’s non-verifiable, not independently auditable. We’re relying on them to do the right thing and they seem to be, but we don’t know. And they’re one of the best. If that were food you were buying, you wouldn’t accept that.• “The state of app security is a disaster with a capital D.” — Dinis Cruz,OpenWeb Application Security Project lead, principal security engineer,Security Innovation Blunt with a captal‘B’
  • 11. 11 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Survey Raises Specter of Massive Enterprise Software Insecurity You’re studiously virus checking your desktop systems, and all your server applications are running on platforms that are regularly updated. But what about the applica- tions themselves -- are they secure? Sonatype recently released results of the annual Open Source Software Development Survey, which looks at the extent to which developers use open source components, with a particular focus on how they balance the compet- ing needs of speed and security. Sonatype surveyed 3,500 people from more than 50 countries -- more than 85 per- cent of them developers -- to understand their approaches to assembling software. The results show the massive ex- tent to which developers now rely on components: At least 80 percent of a typical Java application is now assembled from open source components and frameworks. This has been the case for many years, but the full matu- ration of the concept of component assembly rather than writing code from scratch is well illustrated -- albeit with a focus mainly on Java components. The popularity of tools like Node Package Manager (npm), CPAN, and more re- cently PHP Composer suggests Sonatype’s findings prob- ably reflect a general trend independent of the language used. Ask any employable developer and they will tell you: Components are the way things get built. However, this raises new issues. Sonatype has deter- mined that developers are not keeping up to date with security issues. The survey reports that 71 percent of the applications being built using components from its service use at least one component version with known security issues and for which updated versions exist with those is- sues addressed. In 2012, 46 million insecure versions of components were downloaded. Security used to be a mat- ter of keeping your off-the-shelf or LAMP-stack software up to date and fully patched, but that’s not a safe assumption any more. I asked Sonatype CEO Wayne Jackson if there was any evidence of an increase in the number of critical security issues at CERT -- known as CVEs -- that arise from com- ponent exploits rather than exploits on finished software. By InfoWorld Tech Watch Market Research Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components
  • 12. 12 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources He investigated and found that there were. While in 2006 there were just eight CVEs that identified a component as the source of the risk, by 2012 that number had risen to 50. Today, if you want to keep your company secure it’s not enough to just keep your platforms up to date. You also need a policy that keeps your applications secure. It’s also possible this problem is more distinct with Maven than with other component repositories, since Maven fixes the version number in the POM rather than offering version ranges. Certainly JavaScript programmers using npm and PHP programmers using PHP Composer are able to specify that use of subsequent minor versions that don’t break API compatibility is acceptable, and update their software with a simple command. But this isn’t just an open source is- sue or even just a Java issue; it’s probable that proprietary components purchased from closed-source suppliers are affected just as much. Naturally Sonatype has a product to help with the prob- lem, but the root cause is that most of us simply haven’t realized how far developer choice of components has come to dominate our systems. A black hat hacker can use an exploit on a component as a gateway to systems, and ap- plications in the enterprise that use that component may never get updated to close the exposure and kill the exploit. The survey found that only 38 percent of the organizations surveyed have the controls needed to maintain inventories of the components in use by their applications and ensure security updates happen. Cyber security is on the national political agenda, but do we really understand what it takes to be secure? Now that enterprise development has become component based, rather than using custom code running on off-the-shelf plat- forms, it’s time for enterprise development to wake up and smell the black hats. They’re targeting your components, not just your servers. • 60 45 30 15 0 2002 2004 2006 2008 2010 20122003 2005 2007 2009 2011 Component-originated CVEs per year 2002-2012
  • 13. 13 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Two Steps to Radically Better Security Here’s a shocking fact I’ve learned from 25-plus years of security consulting: Most security projects fail to improve the safety of the organizations launching them. Security will be compromised as frequently after the project as before. To put it bluntly, most computer security projects are a waste of time and money. One reason for this dysfunction is that organizations launch way too many projects with woefully unrealistic expectations about their impact and the level of effort re- quired to do them right. The fact is if all companies did a better job at just two defenses, their companies would be far better protected than if they were to complete the dozen-odd projects they’re attempting to pull off. In many cases, the two defenses I recommend are in- expensive or even free. They don’t require multi-million- dollar projects dragged out for more than a year. They don’t demand cutting-edge solutions. They simply require that organizations do a better job at two things they’ve been told to do for decades. And guess what? They work. Stop users from executing malicious programs Most computers are compromised because users launch malicious programs. It’s that simple. That’s why applica- tion control is the single best thing you can do to im- prove computer security in your company. The classic example is the fake virus alert, which prompts the user to install antivirus software that’s actu- ally malware. But of course this ploy extends to other “apps” purporting some benefit, from games to Windows utilities that are actually malware or spyware. The classic email attachment ruse still finds suckers who blithely double-click on malware pretending to be everything from an invoice to a video of the Zumba lady. Serious, mandatory training for end-users helps a lot, but you can never prevent all users from launching this stuff all the time. The most secure way to stop users from executing malicious programs is to deploy an application control or whitelisting program. I’ve talked a lot about the benefits of application control programs and even did a comparative review a few years ago. I’ve worked with most of them, and they’ve all improved over time. Yet in many cases senior management will not back strict application control. I understand that. I know the challenges -- particularly with the abundance of new downloadable apps, particularly mobile ones, which carry real user productivity benefits. But understand that not implementing strict application control means you will not be able to reduce malicious risk in your environ- By Roger A. Grimes • InfoWorld Expert Advice Stop wasting your money and do computer security right with two common-sense practices
  • 14. 14 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources ment beyond a certain point. A less stringent approach is to enable users to down- load and install programs only from trusted application stores that ensure the security of their applications. Programs from trusted stores are sometimes found to be vulnerable to hacking or to have privacy issues. By and large, those are the exceptions; when caught, they are immediately removed and eradicated. Plus, most apps downloaded from application stores are automati- cally updated when security issues are discovered and patched. That’s great for everyone. A corollary to controlling what can be installed is restricting who can install it. To prevent the easy in- stallation of programs that have not been reviewed or approved, don’t let anyone run with elevated privileges or permissions most of the time. You can do this using manual processes, privilege identity management (PIM) products, Microsoft’s User Account Control (UAC), Unix/ Linux’s sudoers functionality, or any other method or product that accomplishes the same goal. The dirty little secret is that removing elevated privi- leges still won’t seal off your defenses. Lots of mali- cious programs can run or be installed without elevated security privileges. Malicious programs can accomplish nearly every wanted outcome without the user logged in as Administrator or root. They can steal passwords and identities, as well as redirect browsers to places the user didn’t intend to go. Nonetheless, you can reduce risk somewhat if users have fewer privileged accounts while reading email or surfing the Web. Lastly, don’t neglect end-user education. After ap- plication control, it’s the best way to prevent unwanted programs from being installed -- when it’s done right. Most end-user education misses obvious points and refers to outdated threats. Get the backing of manage- ment, conduct mandatory sessions on a regular basis, and ensure your instruction is current and specific to your organization. When users know what their own antimalware software looks like, they’re much less likely to fall for the fake stuff. Patch everything faster The other best defense is to patch all software in a timely way. This has been a mantra for more than two decades now, which is why it’s so surprising that so few companies patch as quickly as they should. Yes, they’re doing better at patching operating systems, but they do a horrible job at patching the most popular Internet add-on products, like Oracle Java or Adobe Acrobat, both of which have been ranked as the most exploited products for years. A corollary to controlling what can be installed is restricting who can install it.To prevent the easy installation of programs that have not been reviewed or approved, don’t let anyone run with elevated privileges or permissions most of the time. Under your thumb
  • 15. 15 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Websense recently collected data that showed 74 percent of active computers were still susceptible to Java exploits from 2012. No less than 94 percent were sus- ceptible to the latest patched Java exploit. My personal experience completely backs up these points. I rarely find a patched Java installation. I find unpatched Java on workstations and servers that have no need for Java. This same unpatched Java allows your company to be silently infected over and over. Your company cannot plausibly claim it cares about the security of its data if it fails to patch the most exploited program of the day. I understand the frustrations and chal- lenges of better patching. I understand that we computer security people would patch things better and faster if it was left up to us. But simply not doing this one thing better means you’ll never be free of easy computer compromise. The hackers will always enter your company’s boundaries and steal data and passwords at will. You cannot stop them. Of course it takes more than two computer defenses to make a complete defense. You still face password-cracking hackers, SQL injections, XSS browser attacks, misconfigu- ration exploits, zero-day vulnerabilities, and so on. But all of those attack types, in aggregate, don’t hold a candle to the main two problems. Solve them and you’ll be a hero.•
  • 16. 16 of 16 Application Security eGuide Improve Application Security Practices Third-party Apps Ripe Targets for Cybercriminals Etsy, Ecommerce and Application Security Is Application Security the Hole in Your Defense? Massive Enterprise Software Insecurity Radically Better Security Resources Application Security Resources Tips and tools The focus of this study is to quantify the economic impact of cyber attacks and observe cost trends over time. The loss or misuse of information is the most significant consequence of a cyber attack, and it comes at significant financial cost. Download >> The rapid transformation of mobile computing has seen security concerns outpaced by the ease of use, flexibility, and productivity of mobile devices. Here we take a look at three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk. Download >> Forward-thinking enterprises realize they need to focus on a sustainable approach to security and risk management—one that is designed to ad- dress the new wave of vulnerabilities that prevail due to increasing trends in IT consumerization, mobility, social media, cloud computing, and cyber crime. Download >> The multitude of devices, users, and generated traffic combine to create a proliferation of data that is being created with incredible volume, velocity, and variety. As a result, organizations need a way to protect, utilize, and gain real-time insight from “big data.” So, how do you get started? Download >> 2012 Cost of Cyber Crime Study:United States Know the BigThreeRethinkingYour Enterprise Security: Critical Priorities to Consider Big Security for Big Data In the HP 2012 Cyber Risk Report, HP Enterprise Security provides a broad view of the vulnerability landscape, ranging from industry-wide data down to a focused look at different technologies, including web and mobile. Download >> 2012 HP Cyber Risk Report