The damaging divide in application security
It’s time to get serious about application security and the divisive reality of breaches. Even with today’s intense focus on security, web application attacks are on the rise: over 40 percent of breaches coming through Web applications, according to Verizon’s 2016 Data Breach Investigation report. Why is this happening? Why are insecure applications being released in the first place? Why are breaches on the rise despite increased scanning and testing efforts during development?
An unfortunate trend was discovered in a recent report from Prevoty, The Real Root Cause of Breaches, and it reveals what might be an underlying contributor to the growth of breaches: Security and IT professionals are at severe odds.
It is understood that those who work in IT span from general IT professionals, to security practitioners, to application developers and beyond. Recent research reveals that when it comes to perception and implementation of security, there is a wide and significant divide between general IT professionals and specialized security professionals.
Defining the divide
According to the report, the divide between IT professionals and security professionals can be broken down into three main points.
First, differing attitudes about the immediacy with which application updates need to happen. Security professionals know that today’s security solutions need constant and never-ending updates and patches to keep corporate data and applications secure against evolving threats, with more than half (52 percent) updating applications at least one or more times per day.
Compare that with IT professionals, half of whom update an application only once every one to six months. In other words, it’s possible that applications being managed by IT professionals are running without updates for up to half a year at a time – a terrifying prospect.
The second point of contention between security and IT professionals is the prevalence of vulnerabilities. On one hand, the majority of security professionals feel they have significant visibility into the vulnerabilities of their applications, while 39 percent of IT professionals cite that their organizations have little or no visibility into what vulnerabilities are being exploited. As a result, IT professionals rarely address vulnerabilities – versus security professionals who often work tirelessly to review, prioritize and/or remediate those vulnerabilities.
Speaking of tirelessness, the third and final divisive factor is a huge gap in acknowledgment of backlogged vulnerabilities. Nearly all (93 percent) of security professionals report having up to 5,000 vulnerabilities in their backlogs, and 62 percent say it takes more than 24 hours to fix a newly discovered vulnerability.
To put this into perspective, if a company has a backlog of 5,000 vulnerabilities, they will need close to two years (around 625 days) to address them. IT professionals see the situation quite differently – nearly half of those surveyed report having no vulnerability backlog at all. This prompts a number of questions: Do IT professionals have the same visibility into the issue as security professionals? Do they have the same training or knowledge base?
Shrinking the gap
In order to shrink this damaging gap between IT and security professionals, it is imperative that the larger IT community move forward with a united approach. The disconnect can be repaired through better communication, knowledge sharing and mutual understanding.
Better understanding may begin with educating IT professionals about what it takes to upkeep and manage strong security solutions and organization-wide practices that help promote heightened application security visibility, quicker vulnerability remediation, and secure coding. They need to be more informed on the damage that can result from not updating applications often, not searching for vulnerabilities, and not addressing the backlog that they most certainly have.
On the other hand, with the majority of security professionals spending up to four days per week tuning existing application security solutions with policy updates, new definition lists and other reactive configurations, it is no surprise they don’t have time to focus on more strategic application security efforts. Both teams need to collaborate to combat these issues and find sustaining solutions that don’t require upending existing workloads and adding burdens.
The current security landscape and the ever-present reality of breaches necessitates a joint approach by security and IT professionals to scan for vulnerabilities throughout the application lifecycle – from the development phase, to production, and (lest we forget) while the application is actually running. This may mean securing the budget, time and team resources for continuous vulnerability scanning, as well as remediation of any that may appear at runtime post-release (to avoid a backlog).
Finally, security and IT professionals need to agree to apply a layered security approach at the network and application layers. In addition to using testing technologies such as Static Application Security Testing and Dynamic Application Security Testing, security and IT professionals need to explore newer, more automated security approaches including next generation WAFs and RASPs.
When we look back at workforce trends of previous generations, we can often identify inefficiencies and interdepartmental siloes. In the same way we hope that companies will be able to close the application security gap through enhanced communication and understanding across all segments of the IT community and with more aggressive and holistic protection measures.