A recent Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission critical applications, in financial services organisations it is closer to 800 (Figure 1). The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, exposed to the internet (Figure 2).
Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware, secondly auditors expect application security to be demonstrable and third, customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees. Fixing security flaws up-front wherever possible also makes sense because of the cost involved at doing so after software if deployed. There are both products and services opportunity for resellers to help their customers achieve these goals.
There are a number of approaches that can be taken to improve application security. For in-house developed software, better practice can be ensured through training of developers, many businesses will need assistance to achieve this. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV); resellers that sell application software could do this for their customers as part of their value add. However, these measures can never ensure that software is 100% secure.
For this reason there are three other approaches that should be considered:
- Application scanning: scanning software eliminates flaws in the first place. There are two approaches, the static scanning of code or binaries before deployment and the dynamic scanning of binaries during testing or after deployment. Static scanning is pervasive, looking at every line of code. Scans can be conducted as regularly as is deemed necessary. Whilst on-premise scanning tools have been relied on in the past, the use of on-demand scanning services has become increasingly popular as the providers of such services have visibility in to the tens of thousands of applications scanned on behalf of thousands of customers. Such services are often charged for on a per-application basis, so unlimited scans can be carried out, even daily. The relatively low cost of on-demand scanning services makes them affordable and scalable for all applications including non-mission critical ones. Resellers could sell the tools, or better still use scanning services to verify code before recommending applications to their customers.
- Manual penetration testing (pen-testing): where specialist third parties are engaged to test the security of applications and effectiveness of defences. These are white-hat hackers, deliberately trying to break into applications, but with no bad intent (as opposed to black hats). Because actual people are involved in the process, pen-testing is relatively expensive and only carried out periodically; new threats may emerge between tests. Most organisations will find pen-testing unaffordable for all deployed software and it is generally reserved for the most sensitive and vulnerable applications. Resellers with the right skills could offer pen-testing services or seek referral fees from specialists in this area.
- Web application firewalls (WAF): these are placed in front of applications to protect them from application focussed threats. They are more complex to deploy than traditional network firewalls and whilst affording good protection do nothing to fix the underlying flaws in software. WAFs also need to scale with traffic volumes - more traffic means more cost. They represent a product resale opportunity.
100% software security is never going to be guaranteed and many organisations use multiple approaches to maximise protection (Figure 3). However, interestingly, as one of the reasons for having demonstrable software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.
For today’s businesses the use of software application is not a choice; however, there is a choice when it come to the methods chosen to improve software security and, in turn, the costs involved and the benefits achieved. Using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes; these are all goals that resellers should be aiming to help their customers achieve.
Quocirca’s report “Outsourcing the problem of software security” is freely available here: http://www.quocirca.com/reports/711/outsourcing-the-problem-of-software-security
This article first appeared in the Computer Reseller News (CRN) UK print edition and on http://www.channelweb.co.uk