Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

5 AppSec Facts That Aren’t True

172 views

Published on

Chances are, your application security efforts are incomplete. Maybe you think application security is too costly or complicated. Or maybe you think you’re all set because your most critical apps are covered, or even that application security is unnecessary because you’re not a software provider. The reality is that without a robust application security program, you are leaving your organization’s critical data and information vulnerable to attack. Cyberattackers are increasingly targeting the application layer; in fact, Akamai recently found that attacks on the application layer are growing by more than 25 percent annually (Akamai Q3 2015 State of the Internet - Security Report: https://www.stateoftheinternet.com/resources-cloud-security-2015-q3-web-security-report.html).

Don’t let assumptions about your applications’ security put you in the headlines for the wrong reasons. You need the facts about application security. This presentation clearly highlights the AppSec facts and stats you need to make a case for application security and get started on the right path.

Published in: Software
  • Be the first to comment

  • Be the first to like this

5 AppSec Facts That Aren’t True

  1. 1. 5 APPSEC FACTS THAT AREN’T TRUE 132 5 VERACO DE GBO O K
  2. 2. Congratulations. You broke into IT (I mean, into the frustrating world of being underappreciated by most, yet paid enough to gain some satisfaction from the irony). You are no longer naïve enough to think that “stolen cookies” is what happens on Christmas Eve. But, despite being an IT genius, a few common (yet dangerous) misconceptions about application security may be preventing you from taking critical and simple steps to protect your system. Web and mobile apps account for more than a third of data breaches, yet I’d bet your time, money and thoughts are focused on a security approach that is, at its best, incomplete. Don’t let assumptions about your applications’ security put you in the headlines for the wrong reasons. Here are some of the common misconceptions about application security and the realities that are often overlooked. INTRODUCTION ****** According to the Verizon Data Breach Investigation Report, web and mobile application attacks account for up to 35% of breaches in some industries WEB + M OBILEAPPS DAT A BREACH 35% 5 APPSEC FACTS THAT AREN’T TRUE 2
  3. 3. 1 2 3 4 5 But … implementing an application security program is cost prohibitive. Right? Application security will slip through my fingers like sand. My brain hurts before I’ve even started. I don’t need to worry about security for applications that are not business-critical. But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS THAT AREN’T TRUE
  4. 4. 50 40 30 20 10 0 1THE REALITY We’ll give it to you straight. Considering that, by the end of 2015, Forrester estimates at least 60 percent of organizations will have suffered a security breach, best not to make your app the weakest link. Significant damages and financial losses are caused by vulnerabilities in the application layer every day, and this disturbing trend isn’t slowing down. In fact, there was a 48 percent increase in app-layer breaches reported from 2013 to 2014 alone. But… implementing an application security program is cost prohibitive. Right? 5 APPSEC FACTS THAT AREN’T TRUE 4 MILLIONS 3.4 22.7 28.9 9.4 24.9 2009 2011 20132010 2012 2014 42.8 Increase in App- Layer Breaches 2013–2014 48%
  5. 5. From lost revenue (stolen corporate data, lowered sales volumes or falling stock) to money spent on investigation and cleanup, not to mention downtime (costs that can average $100,000 an hour) and intangible yet resonating brand loyalty damage, which would you rather pay for? Luckily for you, the movement toward cloud-based security solutions has reduced many of the costs of application security. The likelihood and cost of a breach clearly outweigh the costs of cloud-based protection. Spend your weekends with your family and friends, rather than with your warm computer at work after a breach. LOST REVENUE COST OF DOWNTIME BRAND DAMAGE The costs incurred by ineffective or nonexistent app security can add up. 5 APPSEC FACTS THAT AREN’T TRUE 5 CostofaBreach MONEY SPENT ON INVESTIGATION + CLEANUP COSTOFABREACH
  6. 6. 2THE REALITY Application landscapes are complex, but securing them doesn’t have to be. Your application portfolio wasn’t built in a day, and your application security program won’t be either. Just K.I.S.S. for now by implementing procedures to assess the most critical apps, then scale further security over time. With the right game plan, application security goes from feeling very overwhelming to becoming very doable. Application security will slip through my fingers like sand. My brain hurts before I’ve even started. GUIDE Ultimate Guide to Starting an Application Security Program WEBINAR 5 Steps for a Winning Appli- cation Security Program WEBINAR Work Smarter, Not Harder: How You Can Get More From a Mature Security Program 5 APPSEC FACTS THAT AREN’T TRUE 6 RESOURCES
  7. 7. 3THE REALITY Securing your most critical apps is absolutely a good place to start — but not a good place to stop. Cyberattackers are increasingly targeting less-critical and third-party applications, because they know those apps are like lost puppies — unprotected and alone. For you, this means the entire application landscape needs to be secured. I don’t need to worry about security for applications that are not business-critical. 5 APPSEC FACTS THAT AREN’T TRUE 7
  8. 8. Most enterprises don’t even know how many public-facing applications they have. Web application perimeters are constantly expanding as enterprises spin-up new websites for new marketing campaigns or geographies, create web portals for customers and partners, and acquire companies. Most organizations also have legacy and old marketing sites they’re not even aware of. No wonder your application threat surface is constantly growing. In Target’s case, a sophisticated kill chain exploited a vulnerability in a web app. Though the application was designed to be used by Target’s vendors to process payments, it ultimately allowed hackers access to critical customer data. Don’t forget the apps you’ve built, bought or pieced together with in-house and open source components. Most organizations are not currently securing their entire application landscape and, in fact, may not even know how many applications they have. Starting with creating a global inventory is not a paranoid step for you to take. Recent high-profile breaches continue to prove this point. 5 APPSEC FACTS THAT AREN’T TRUE 8 REAL-WORLD EXAMPLE Find out the extent of your application threat surface with this Web Application Perimeter Calculator.
  9. 9. 4 THE REALITY Apps that ARE TESTED for Security Vulnerabilities Guess who is going to be left holding the bag if you don’t step up? Every company is reliant on applications, and uses them to provide access to its critical information. Therefore, every company must also ensure its own applications are secure. Since outside users typically interact with enterprises through applications, every company is becoming a software company, regard- less of what its primary business is. To innovate even faster (and complicate your job), organizations are using Agile development and incorporating third-party and open source software — all of which must be checked as well. IDG research revealed that almost two-thirds of applications are not assessed for security. Let’s be proactive, shall we? But AppSec falls to software vendors. 5 APPSEC FACTS THAT AREN’T TRUE 9 38% MOBILE APPS 38% WEB APPS 37% CLIENT/SERVER APPS 33% TERMINAL APPS APP S THATREMAIN UNTESTED 63%
  10. 10. Effective application security ultimately includes more than one automated technique, plus manual processes. For example, static analysis (SAST) doesn’t require a fully functional system with test data and automated test suites, and dynamic analysis (DAST) doesn’t re- quire modifying the production environment. Because of these strengths, SAST can be used earlier in the development cycle than both interactive application security testing (IAST) and DAST. And so on. 5There is no AppSec panacea. A truly effective program uses the strengths of multiple assessment techniques. One single technology can secure all applications. 5 APPSEC FACTS THAT AREN’T TRUE 10 THE REALITY
  11. 11. All play a role in a complete application security program. 5 APPSEC FACTS THAT AREN’T TRUE 11 Each analysis technology has its own strengths. Software Composition Analysis Mobile Behavioral Dynamic IAST Static Web Perimeter Monitoring Manual Penetration Testing
  12. 12. Hopefully now you’ve gained a few insights into the best ways to defend your applications. Here’s to you checking your own fallacies at the door and developing a robust global security plan that includes every connected app. It’s time. CONCLUSION 5 APPSEC FACTS THAT AREN’T TRUE 12 LEARN MORE Application Security Fallacies and Realities LOVE TO LEARN ABOUT APPLICATION SECURITY? Get all the latest news, tips and articles delivered right to your inbox.

×