SlideShare a Scribd company logo

5 AppSec Facts That Aren’t True

Veracode
Veracode

Chances are, your application security efforts are incomplete. Maybe you think application security is too costly or complicated. Or maybe you think you’re all set because your most critical apps are covered, or even that application security is unnecessary because you’re not a software provider. The reality is that without a robust application security program, you are leaving your organization’s critical data and information vulnerable to attack. Cyberattackers are increasingly targeting the application layer; in fact, Akamai recently found that attacks on the application layer are growing by more than 25 percent annually (Akamai Q3 2015 State of the Internet - Security Report: https://www.stateoftheinternet.com/resources-cloud-security-2015-q3-web-security-report.html). Don’t let assumptions about your applications’ security put you in the headlines for the wrong reasons. You need the facts about application security. This presentation clearly highlights the AppSec facts and stats you need to make a case for application security and get started on the right path.

Software
1 of 12
Download to read offline
5 APPSEC FACTS THAT AREN’T TRUE 132 5 VERACO DE GBO O K
Congratulations. You broke into IT (I mean, into the frustrating world of being underappreciated by most, yet paid enough to gain some satisfaction from the irony). You are no longer naïve enough to think that “stolen cookies” is what happens on Christmas Eve. But, despite being an IT genius, a few common (yet dangerous) misconceptions about application security may be preventing you from taking critical and simple steps to protect your system. Web and mobile apps account for more than a third of data breaches, yet I’d bet your time, money and thoughts are focused on a security approach that is, at its best, incomplete. Don’t let assumptions about your applications’ security put you in the headlines for the wrong reasons. Here are some of the common misconceptions about application security and the realities that are often overlooked. INTRODUCTION ****** According to the Verizon Data Breach Investigation Report, web and mobile application attacks account for up to 35% of breaches in some industries WEB + M OBILEAPPS DAT A BREACH 35% 5 APPSEC FACTS THAT AREN’T TRUE 2
1 2 3 4 5 But … implementing an application security program is cost prohibitive. Right? Application security will slip through my fingers like sand. My brain hurts before I’ve even started. I don’t need to worry about security for applications that are not business-critical. But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS THAT AREN’T TRUE
50 40 30 20 10 0 1THE REALITY We’ll give it to you straight. Considering that, by the end of 2015, Forrester estimates at least 60 percent of organizations will have suffered a security breach, best not to make your app the weakest link. Significant damages and financial losses are caused by vulnerabilities in the application layer every day, and this disturbing trend isn’t slowing down. In fact, there was a 48 percent increase in app-layer breaches reported from 2013 to 2014 alone. But… implementing an application security program is cost prohibitive. Right? 5 APPSEC FACTS THAT AREN’T TRUE 4 MILLIONS 3.4 22.7 28.9 9.4 24.9 2009 2011 20132010 2012 2014 42.8 Increase in App- Layer Breaches 2013–2014 48%
From lost revenue (stolen corporate data, lowered sales volumes or falling stock) to money spent on investigation and cleanup, not to mention downtime (costs that can average $100,000 an hour) and intangible yet resonating brand loyalty damage, which would you rather pay for? Luckily for you, the movement toward cloud-based security solutions has reduced many of the costs of application security. The likelihood and cost of a breach clearly outweigh the costs of cloud-based protection. Spend your weekends with your family and friends, rather than with your warm computer at work after a breach. LOST REVENUE COST OF DOWNTIME BRAND DAMAGE The costs incurred by ineffective or nonexistent app security can add up. 5 APPSEC FACTS THAT AREN’T TRUE 5 CostofaBreach MONEY SPENT ON INVESTIGATION + CLEANUP COSTOFABREACH
2THE REALITY Application landscapes are complex, but securing them doesn’t have to be. Your application portfolio wasn’t built in a day, and your application security program won’t be either. Just K.I.S.S. for now by implementing procedures to assess the most critical apps, then scale further security over time. With the right game plan, application security goes from feeling very overwhelming to becoming very doable. Application security will slip through my fingers like sand. My brain hurts before I’ve even started. GUIDE Ultimate Guide to Starting an Application Security Program WEBINAR 5 Steps for a Winning Appli- cation Security Program WEBINAR Work Smarter, Not Harder: How You Can Get More From a Mature Security Program 5 APPSEC FACTS THAT AREN’T TRUE 6 RESOURCES
3THE REALITY Securing your most critical apps is absolutely a good place to start — but not a good place to stop. Cyberattackers are increasingly targeting less-critical and third-party applications, because they know those apps are like lost puppies — unprotected and alone. For you, this means the entire application landscape needs to be secured. I don’t need to worry about security for applications that are not business-critical. 5 APPSEC FACTS THAT AREN’T TRUE 7
Most enterprises don’t even know how many public-facing applications they have. Web application perimeters are constantly expanding as enterprises spin-up new websites for new marketing campaigns or geographies, create web portals for customers and partners, and acquire companies. Most organizations also have legacy and old marketing sites they’re not even aware of. No wonder your application threat surface is constantly growing. In Target’s case, a sophisticated kill chain exploited a vulnerability in a web app. Though the application was designed to be used by Target’s vendors to process payments, it ultimately allowed hackers access to critical customer data. Don’t forget the apps you’ve built, bought or pieced together with in-house and open source components. Most organizations are not currently securing their entire application landscape and, in fact, may not even know how many applications they have. Starting with creating a global inventory is not a paranoid step for you to take. Recent high-profile breaches continue to prove this point. 5 APPSEC FACTS THAT AREN’T TRUE 8 REAL-WORLD EXAMPLE Find out the extent of your application threat surface with this Web Application Perimeter Calculator.
4 THE REALITY Apps that ARE TESTED for Security Vulnerabilities Guess who is going to be left holding the bag if you don’t step up? Every company is reliant on applications, and uses them to provide access to its critical information. Therefore, every company must also ensure its own applications are secure. Since outside users typically interact with enterprises through applications, every company is becoming a software company, regard- less of what its primary business is. To innovate even faster (and complicate your job), organizations are using Agile development and incorporating third-party and open source software — all of which must be checked as well. IDG research revealed that almost two-thirds of applications are not assessed for security. Let’s be proactive, shall we? But AppSec falls to software vendors. 5 APPSEC FACTS THAT AREN’T TRUE 9 38% MOBILE APPS 38% WEB APPS 37% CLIENT/SERVER APPS 33% TERMINAL APPS APP S THATREMAIN UNTESTED 63%
Effective application security ultimately includes more than one automated technique, plus manual processes. For example, static analysis (SAST) doesn’t require a fully functional system with test data and automated test suites, and dynamic analysis (DAST) doesn’t re- quire modifying the production environment. Because of these strengths, SAST can be used earlier in the development cycle than both interactive application security testing (IAST) and DAST. And so on. 5There is no AppSec panacea. A truly effective program uses the strengths of multiple assessment techniques. One single technology can secure all applications. 5 APPSEC FACTS THAT AREN’T TRUE 10 THE REALITY
All play a role in a complete application security program. 5 APPSEC FACTS THAT AREN’T TRUE 11 Each analysis technology has its own strengths. Software Composition Analysis Mobile Behavioral Dynamic IAST Static Web Perimeter Monitoring Manual Penetration Testing
Hopefully now you’ve gained a few insights into the best ways to defend your applications. Here’s to you checking your own fallacies at the door and developing a robust global security plan that includes every connected app. It’s time. CONCLUSION 5 APPSEC FACTS THAT AREN’T TRUE 12 LEARN MORE Application Security Fallacies and Realities LOVE TO LEARN ABOUT APPLICATION SECURITY? Get all the latest news, tips and articles delivered right to your inbox.

Recommended

The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteThe Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteVeracode
 
A study on security issues in cloud based e learning
A study on security issues in cloud based e learningA study on security issues in cloud based e learning
A study on security issues in cloud based e learningManimaran A
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 
Why Benchmark Application Security - Veracode
Why Benchmark Application Security - VeracodeWhy Benchmark Application Security - Veracode
Why Benchmark Application Security - VeracodeVeracode
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
Retail Industry Application Security Survey Insights
Retail Industry Application Security Survey InsightsRetail Industry Application Security Survey Insights
Retail Industry Application Security Survey InsightsVeracode
 
Veracode CISO Round Table
Veracode CISO Round TableVeracode CISO Round Table
Veracode CISO Round TableSalil Kumar Subramony
 

Recommended

The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteThe Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteVeracode
 
A study on security issues in cloud based e learning
A study on security issues in cloud based e learningA study on security issues in cloud based e learning
A study on security issues in cloud based e learningManimaran A
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 
Why Benchmark Application Security - Veracode
Why Benchmark Application Security - VeracodeWhy Benchmark Application Security - Veracode
Why Benchmark Application Security - VeracodeVeracode
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
Retail Industry Application Security Survey Insights
Retail Industry Application Security Survey InsightsRetail Industry Application Security Survey Insights
Retail Industry Application Security Survey InsightsVeracode
 
Veracode CISO Round Table
Veracode CISO Round TableVeracode CISO Round Table
Veracode CISO Round TableSalil Kumar Subramony
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
50 tons per hour iron ore crushing production line to mr.aliyu
50 tons per hour iron ore crushing production line to mr.aliyu50 tons per hour iron ore crushing production line to mr.aliyu
50 tons per hour iron ore crushing production line to mr.aliyuEvita Lee
 
The Big Secret
The Big SecretThe Big Secret
The Big SecretRoderick Nierva
 
Christmas in Germany
Christmas in GermanyChristmas in Germany
Christmas in GermanyBen Mason
 
Resume Haris
Resume HarisResume Haris
Resume HarisMuhammad Haris Ali
 
Neil CV - pdf4
Neil CV - pdf4Neil CV - pdf4
Neil CV - pdf4Neil Prakash
 
Christmas in Germany
Christmas in GermanyChristmas in Germany
Christmas in GermanySayali Dhoke
 
Diabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas KashalikarDiabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas Kashalikardrsolapurkar
 
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005gianlkr
 
2005%5CCOMP202-Sem1
2005%5CCOMP202-Sem12005%5CCOMP202-Sem1
2005%5CCOMP202-Sem1tutorialsruby
 
Letter of Rec (from Monica Sudduth)
Letter of Rec (from Monica Sudduth)Letter of Rec (from Monica Sudduth)
Letter of Rec (from Monica Sudduth)Morgan Wilson, S.M.ASCE
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 

More Related Content

Viewers also liked

Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
50 tons per hour iron ore crushing production line to mr.aliyu
50 tons per hour iron ore crushing production line to mr.aliyu50 tons per hour iron ore crushing production line to mr.aliyu
50 tons per hour iron ore crushing production line to mr.aliyuEvita Lee
 
Christmas in Germany
Christmas in GermanyChristmas in Germany
Christmas in GermanyBen Mason
 
Christmas in Germany
Christmas in GermanyChristmas in Germany
Christmas in GermanySayali Dhoke
 
Diabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas KashalikarDiabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas Kashalikardrsolapurkar
 
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005gianlkr
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 

Viewers also liked (12)

Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
50 tons per hour iron ore crushing production line to mr.aliyu
50 tons per hour iron ore crushing production line to mr.aliyu50 tons per hour iron ore crushing production line to mr.aliyu
50 tons per hour iron ore crushing production line to mr.aliyu
 
The Big Secret
The Big SecretThe Big Secret
The Big Secret
 
Christmas in Germany
Christmas in GermanyChristmas in Germany
Christmas in Germany
 
Resume Haris
Resume HarisResume Haris
Resume Haris
 
Neil CV - pdf4
Neil CV - pdf4Neil CV - pdf4
Neil CV - pdf4
 
Christmas in Germany
Christmas in GermanyChristmas in Germany
Christmas in Germany
 
Diabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas KashalikarDiabetes And Bhramari Dr Shriniwas Kashalikar
Diabetes And Bhramari Dr Shriniwas Kashalikar
 
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005
Circolare del 22/06/2006 n. 23 Oggetto: Studi di settore. Periodo d'imposta 2005
 
2005%5CCOMP202-Sem1
2005%5CCOMP202-Sem12005%5CCOMP202-Sem1
2005%5CCOMP202-Sem1
 
Letter of Rec (from Monica Sudduth)
Letter of Rec (from Monica Sudduth)Letter of Rec (from Monica Sudduth)
Letter of Rec (from Monica Sudduth)
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 

Recently uploaded

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Recently uploaded (20)

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

5 AppSec Facts That Aren’t True

  • 2. Congratulations. You broke into IT (I mean, into the frustrating world of being underappreciated by most, yet paid enough to gain some satisfaction from the irony). You are no longer naïve enough to think that “stolen cookies” is what happens on Christmas Eve. But, despite being an IT genius, a few common (yet dangerous) misconceptions about application security may be preventing you from taking critical and simple steps to protect your system. Web and mobile apps account for more than a third of data breaches, yet I’d bet your time, money and thoughts are focused on a security approach that is, at its best, incomplete. Don’t let assumptions about your applications’ security put you in the headlines for the wrong reasons. Here are some of the common misconceptions about application security and the realities that are often overlooked. INTRODUCTION ****** According to the Verizon Data Breach Investigation Report, web and mobile application attacks account for up to 35% of breaches in some industries WEB + M OBILEAPPS DAT A BREACH 35% 5 APPSEC FACTS THAT AREN’T TRUE 2
  • 3. 1 2 3 4 5 But … implementing an application security program is cost prohibitive. Right? Application security will slip through my fingers like sand. My brain hurts before I’ve even started. I don’t need to worry about security for applications that are not business-critical. But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS THAT AREN’T TRUE
  • 4. 50 40 30 20 10 0 1THE REALITY We’ll give it to you straight. Considering that, by the end of 2015, Forrester estimates at least 60 percent of organizations will have suffered a security breach, best not to make your app the weakest link. Significant damages and financial losses are caused by vulnerabilities in the application layer every day, and this disturbing trend isn’t slowing down. In fact, there was a 48 percent increase in app-layer breaches reported from 2013 to 2014 alone. But… implementing an application security program is cost prohibitive. Right? 5 APPSEC FACTS THAT AREN’T TRUE 4 MILLIONS 3.4 22.7 28.9 9.4 24.9 2009 2011 20132010 2012 2014 42.8 Increase in App- Layer Breaches 2013–2014 48%
  • 5. From lost revenue (stolen corporate data, lowered sales volumes or falling stock) to money spent on investigation and cleanup, not to mention downtime (costs that can average $100,000 an hour) and intangible yet resonating brand loyalty damage, which would you rather pay for? Luckily for you, the movement toward cloud-based security solutions has reduced many of the costs of application security. The likelihood and cost of a breach clearly outweigh the costs of cloud-based protection. Spend your weekends with your family and friends, rather than with your warm computer at work after a breach. LOST REVENUE COST OF DOWNTIME BRAND DAMAGE The costs incurred by ineffective or nonexistent app security can add up. 5 APPSEC FACTS THAT AREN’T TRUE 5 CostofaBreach MONEY SPENT ON INVESTIGATION + CLEANUP COSTOFABREACH
  • 6. 2THE REALITY Application landscapes are complex, but securing them doesn’t have to be. Your application portfolio wasn’t built in a day, and your application security program won’t be either. Just K.I.S.S. for now by implementing procedures to assess the most critical apps, then scale further security over time. With the right game plan, application security goes from feeling very overwhelming to becoming very doable. Application security will slip through my fingers like sand. My brain hurts before I’ve even started. GUIDE Ultimate Guide to Starting an Application Security Program WEBINAR 5 Steps for a Winning Appli- cation Security Program WEBINAR Work Smarter, Not Harder: How You Can Get More From a Mature Security Program 5 APPSEC FACTS THAT AREN’T TRUE 6 RESOURCES
  • 7. 3THE REALITY Securing your most critical apps is absolutely a good place to start — but not a good place to stop. Cyberattackers are increasingly targeting less-critical and third-party applications, because they know those apps are like lost puppies — unprotected and alone. For you, this means the entire application landscape needs to be secured. I don’t need to worry about security for applications that are not business-critical. 5 APPSEC FACTS THAT AREN’T TRUE 7
  • 8. Most enterprises don’t even know how many public-facing applications they have. Web application perimeters are constantly expanding as enterprises spin-up new websites for new marketing campaigns or geographies, create web portals for customers and partners, and acquire companies. Most organizations also have legacy and old marketing sites they’re not even aware of. No wonder your application threat surface is constantly growing. In Target’s case, a sophisticated kill chain exploited a vulnerability in a web app. Though the application was designed to be used by Target’s vendors to process payments, it ultimately allowed hackers access to critical customer data. Don’t forget the apps you’ve built, bought or pieced together with in-house and open source components. Most organizations are not currently securing their entire application landscape and, in fact, may not even know how many applications they have. Starting with creating a global inventory is not a paranoid step for you to take. Recent high-profile breaches continue to prove this point. 5 APPSEC FACTS THAT AREN’T TRUE 8 REAL-WORLD EXAMPLE Find out the extent of your application threat surface with this Web Application Perimeter Calculator.
  • 9. 4 THE REALITY Apps that ARE TESTED for Security Vulnerabilities Guess who is going to be left holding the bag if you don’t step up? Every company is reliant on applications, and uses them to provide access to its critical information. Therefore, every company must also ensure its own applications are secure. Since outside users typically interact with enterprises through applications, every company is becoming a software company, regard- less of what its primary business is. To innovate even faster (and complicate your job), organizations are using Agile development and incorporating third-party and open source software — all of which must be checked as well. IDG research revealed that almost two-thirds of applications are not assessed for security. Let’s be proactive, shall we? But AppSec falls to software vendors. 5 APPSEC FACTS THAT AREN’T TRUE 9 38% MOBILE APPS 38% WEB APPS 37% CLIENT/SERVER APPS 33% TERMINAL APPS APP S THATREMAIN UNTESTED 63%
  • 10. Effective application security ultimately includes more than one automated technique, plus manual processes. For example, static analysis (SAST) doesn’t require a fully functional system with test data and automated test suites, and dynamic analysis (DAST) doesn’t re- quire modifying the production environment. Because of these strengths, SAST can be used earlier in the development cycle than both interactive application security testing (IAST) and DAST. And so on. 5There is no AppSec panacea. A truly effective program uses the strengths of multiple assessment techniques. One single technology can secure all applications. 5 APPSEC FACTS THAT AREN’T TRUE 10 THE REALITY
  • 11. All play a role in a complete application security program. 5 APPSEC FACTS THAT AREN’T TRUE 11 Each analysis technology has its own strengths. Software Composition Analysis Mobile Behavioral Dynamic IAST Static Web Perimeter Monitoring Manual Penetration Testing
  • 12. Hopefully now you’ve gained a few insights into the best ways to defend your applications. Here’s to you checking your own fallacies at the door and developing a robust global security plan that includes every connected app. It’s time. CONCLUSION 5 APPSEC FACTS THAT AREN’T TRUE 12 LEARN MORE Application Security Fallacies and Realities LOVE TO LEARN ABOUT APPLICATION SECURITY? Get all the latest news, tips and articles delivered right to your inbox.