A new Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission-critical applications, in financial services organisations it is closer to 800. The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, web-enabled.

Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware, secondly auditors expect application security to be demonstrable and third customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees.

There are a number of approaches that can be taken to ensuring better application security. For in-house developed software, best practices can be better ensured through training of developers. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV). However, these measures can never ensure that software is 100% secure.

For this reason three other approaches which should be considered:

1. Application scanning: scanning software eliminates flaws in the first place. There are two approaches, the static scanning of code or binaries before deployment and the dynamic scanning of binaries during testing or after deployment. Static scanning is pervasive, looking at every line of code. Scans can be conducted as regularly as is deemed necessary. Whilst on-premise scanning tools have been relied on in the past, the use of on-demand scanning services has become increasingly popular as the providers of such services have visibility in to the tens of thousands of applications scanned on behalf of thousands of customers. Such services are often charged for on a per-application basis, so unlimited scans can be carried out, even on a daily basis. The relatively low cost of on-demand scanning services makes them affordable and scalable for all applications including non-mission critical ones.

2. Manual penetration testing (pen-testing): where specialist third parties are engaged to test the security of applications and effectiveness of defences. These are white-hats, deliberately trying to hack applications, but with no bad intent (as opposed to black hats). Because actual people are involved in the process, pen-testing is relatively expensive and only carried out periodically; new threats may emerge between tests. Most organisations will find pen-testing unaffordable for all deployed software and is generally reserved for the most sensitive and vulnerable applications.

3.Web application firewalls (WAF): these are placed in front of applications to protect that from application focussed threats. They are more complex to deploy than traditional network firewalls and whilst affording good protection do nothing to fix the underlying flaws in software. WAFs also need to scale with traffic volumes, more traffic means more cost.

100% software security is never going to be guaranteed and many organisations use multiple approaches to maximise protection. However, interestingly, as one of the reasons for having demonstrable software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.

For today’s businesses the use of software is not a choice; however the methods chosen to improve software security and, in turn, the costs involved and the benefits achieved are. Using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes.

Quocirca’s report “Outsourcing the problem of software security” is freely available here.

A Quocirca online webinar on this topic will be available from March 16th 2012 here.

Bob Tarzey, Analyst and Director, Quocirca

From recent briefings with a number of IT security vendors it would seem that most can now identify any new threat immediately and that at the same time none of them can. This contradiction is down to the “we can, they can’t” mantra that any vendor of any product is bound to use against its competitors. Of course, they can’t all be right; in fact, all who make such claims are wrong.

One thing most are right about is that relying on signatures of known malware to protect their customers has not been enough for a long time now. Signature-based recognition is still an important way to cut down the amount of malware moving around; better that spam-bearing emails are stopped in the cloud than at the desktop. However, many of the IT security threats that businesses face cannot be characterised by a simple digital signature.

Security vendors are also right when they identify one of the biggest risks to their customers as zero-day threats (i.e. new ones that have not been seen before and cannot therefore be recognised by existing signatures). Such threats are becoming more and more common as the tools for writing and distributing malware become more sophisticated. It is now possible to ensure every incidence of a new virus is different enough from its siblings to appear unique compared to any existing signature.

So IT security vendors are rightly focusing more and more on identifying and stopping previously unknown threats and coming up with increasingly clever ways of doing so; the IT security arms race continues apace. Where they overreach themselves is to claim they can spot any new threat. This was brought home to Quocirca recently when a new entrant to the IT security market made such a claim, but then said it has delayed its launch because the rise of WikiLeaks and LulzSec had led it to make further changes to its product. In other words, it has not foreseen some threats that customers may face.
 
No single IT security vendor can spot every existing threat and identify every new one. However, between them they are doing a pretty good job. None of us, businesses or consumers, can rely completely on a single security technology. Even if you believe you have catch-all anti-virus software on your PC, iPad or smartphone, it does not make sense to turn off security at your wireless router or decline spam and malware filtering services from your internet and/or email service provider.
 
Good IT security will always be about multiple layers of protection and using products from a variety of vendors. When well-managed, to ensure all known threat vectors are covered, using various security technologies will maximise the chance of recognising and stopping malware. But, even this is not enough. Other measures should also be in place.
 
For example, organisations should reconsider their security posture; a more open approach to business could mean less worry about protecting intellectual property. Educating employees about their responsibilities with regard to personally identifiable information (PII) and providing regular reminders about this is as important a part of ensuring compliance as any security technology. With IT and data security, belts and braces is the only approach. Beware the vendor who promises all.

Bob Tarzey, Analyst and Director, Quocirca