Better Application Security: Discovery and Vigilance

CSO recently labeled the cybersecurity battle  as “a war without end.” Not long after the Solarwinds revelations, we learned that tens of thousands, if not hundreds of thousands, of Microsoft Exchange servers have been compromised. But security and IT practitioners know too well that organizations could better protect themselves with better application security hygiene.

That sentiment came through during a recent #IDGTechtalk Twitter chat on March 11 moderated by @nyike (Isaac Sacolick) and sponsored by @GlobalNTT.

Human error is often part of the problem, if not the cause, when a breach occurs:

Biggest issue with security is people. People who weren’t trained. People who didn’t manage patches effectively. People who didn’t think beyond their organizational boundaries. People who didn’t test their security postures.  Arsalan Khan @ArsalanAKhan

But lax procedures often set us up for failures:

…let’s not forget that many applications enter the organization without a security/ risk review. Need to fix the leaky pipes first. Tim Crawford@tcrawford

We thrive in and are at risk from an app economy. The threat profile expands every time a new app is introduced to an organization or a user’s device:

The @forrester State of Application Security report noted application vulnerabilities will continue to be the most common external attack method. #CIO/#CISO must realize that w/o effective app security, IT investments are at serious risk. Ben Rothke@benrothke

Yes, average business user touches 30+ applications every day. That’s a lot of potential threat vectors Adam Stein@apstein2

Organizations need to look at how aware they are of the application security threat inside their perimeters:

First, you can’t protect what you don’t know about. Starting with a good and detailed inventory of systems and services/apps is the best place to start. This also doesn’t mean immediately remediating…. Assess where the risks are. Such as, if you have a critical system that has to run older software or hardware that may be vulnerable, ensure there are protections and mitigations in place to attempt to prevent exploitation. Amélie E. Koran@webjedi

#IDGTECHtalk A1) IT Teams should determine the top threats & see what safeguards are in place : TOP THREATS typically are: #Phishing attacks, #Ransomware attacks, (RDP) Remote Desktop Protocol attacks, #WiFi #MITM (Man in the middle) #HotSpot attacks Scott Schober@ScottBVS

Awareness alone isn’t sufficient, though. It’s high time that we all ensure we’re taking the appropriate actions:

Finding vulnerabilities does not make your apps secure. Make sure fixes are actually implemented, by retesting, and also by testing the finished product. There are great resources out there for security & dev teams. Get your teams trained on appsec! WhiteHat Security@whitehatsec

#PatchTuesday used to be a thing. Probably a good idea to bring it back for everyone given the distributed workforce and BYO policies Adam Stein@apstein2

But is awareness and vigilance sufficient? 

I actually think there is more here than training and patching. We’ve known about those and addressed those for decades. Why is it still an issue then? Tim Crawford@tcrawford

Tension between “must get this new/updated app out the door” and additional time/$ investment to ensure the right security. Joanna Young@jcycio

One of the biggest challenges is the number of applications to manage security. So many different tools and services to manage without having a single pane of glass. It’s akin to having to log into multiple streaming services looking for a movie you want to watch. Jason James@itlinchpin

Still, it’s clear there is a continuing need for education and training:

Application security is data security. Demonstrating the impact of the wrong data being stolen, corrupted or deleted through poor application security is key. Demonstrate the risk through financial and image impact. Mark Thiele@mthiele10

Check out the full discussion @idgtechtalk and read about NTT’s approach to intelligent cybersecurity.