Business Application Security: Things To Ensure And Insure
By Ed Moyle, Director, ISACA
Today’s businesses live and die by the data, applications, and devices that interconnect their technological ecosystem and business environments. Given that, it should be no surprise that cyber security is increasingly gaining importance in the current digital era. In fact, one needs only look at the headlines to see that it is. Security concerns abound in the trade press, as do breaches, privacy issues, vulnerabilities, and countless other security topics.
Of the three areas listed at the outset, very often it’s the data and devices that get the lion’s share of the attention and budget when it comes to security efforts. While almost every security practitioner will tell you applications are important from a security standpoint – and that there’s a direct link between application security profile and the overall security posture of an organization – they get comparatively less attention on the whole.
There are a few reasons why this is the case. First, fewer technical security professionals historically entered the profession via software development compared to, say, network engineers. Second, applications are a varied bunch: a client/server app written in C++ that lives on a user’s desktop is architecturally and structurally very different from a web app built on Ruby that lives in the cloud. This in turn implies that there are as many ways to secure applications, as there are applications.
“It’s important to realize that applications are a common vector for attacks and attackers”
From an executive level, though, it’s important to recognize that the security of the software and applications that we use (whether we fielded them ourselves or whether we subscribe to them via a subscription service) is every bit as important as the protection mechanisms that we employ for our network defenses, data protection, or the other operational “hygiene” tasks that we would consider it anathema to forego. And if (as is the case for many organizations) there is room to improve, there are a few low-cost, easy-to-implement steps that can help improve an organization’s approach to the security of their applications as they think through a broader, more holistic approach.
Why Application Security Matters
It’s important to realize that applications are a common vector for attacks and attackers. Moreover, it’s important to realize that application security is likely to become even more important as the sophistication and complexity of our business environments continue to ratchet up.
First of all, any software can have defects. This is true whether you’re talking about software hosted at an internal datacenter, on a user’s desktop, in the cloud, or on an embedded device. Those defects can leads to security vulnerabilities – situations whereby attackers can subvert the application to get access to something they shouldn’t, prevent others from gaining access, or otherwise doing something undesirable. At any point in time, there are potentially hundreds of latent defects (some of which could have a security impact) in any given application.
Second, business applications are some of the most critical services that run the business. Any shop that has ever gone through a BIA (Business Impact Assessment) pursuant to business continuity or disaster recovery planning will acknowledge that this is true. Consequently, when those applications are attacked or otherwise are negatively impacted, the overall effect on the organization can be disproportionately high.
Lastly, it’s important to note that organizations are relying increasingly on Software as a Service (SaaS) and other forms of cloud services. Meaning, there are more applications that “live” outside the organization’s network borders. This means that many of the network-level security controls (firewall, intrusion detection) that organizations already have fielded to adjust to continue to provide value. Likewise, embedded devices (i.e. the “Internet of Things”) increasingly leverage specialized application-aware communication protocols to interconnect. This again means, that ensuring the security of those application protocols is key to ensuring the ongoing security of the business overall.
Paving the Way
In light of these factors, application and software security—while already important today – is likely to become increasingly important as time goes by. The next logical question for the CIO, then, is, how do I know if my organization is protected appropriately? What can I do to ensure that my organization is applying appropriate resources to this challenge? How can I monitor my posture over time?
Ultimately, these questions are best answered holistically and systemically, by cultivating resources with an application security specialization, engaging them to work cooperatively with business and other technical teams, giving them the right tools, and holding them accountable to progress through measurement of their activities and progress. In the short term, there are a few things that can assist while this broader approach is being planned.
First and foremost, an organization can start by taking steps to assess the security of the applications it uses, such as through an updated inventory. Again, this includes both internal applications as well as those that might be in use via the cloud. This is harder to get right than it sounds – consider how many applications are in use within a typical organization, including “one-offs” or those that might be limited to an individual department or group.
Next, consider steps to evaluate those services from a security point of view. This could mean leveraging in-house talent where it exists (coupled with the appropriate assessment tools), or it could mean engaging external specialists. Bear in mind that for externally hosted services, this will likely mean obtaining permission from the service provider. The goal here is to get to a minimum level of understanding as you build out future efforts and also to generate immediate feedback that can be used to make short-term improvements. It’s also good practice to do this anyway, so the value here isn’t lost no matter what happens afterwards.
Lastly, build out that longer-term path discussed above; a comprehensive framework that includes application security (e.g. COBIT or ISO 27001) can help you accomplish it systematically and with a mind to the broader organization. This will only become more important as time goes by, so getting started on it now is time well spent.
Founded in 1969, ISACA is a non-profit, independent association that advocates for professionals involved in information security, assurance, risk management, and governance.