Organizations could be woefully shortchanging client-side and Web applications, according to a recent study by the SANS Institute. Most companies are spending far more energy on operating system security, for example, even though Web and other application threats are far greater.
Top Cyber Security Risks was the latest report to emphasize the growing threat to Web and other applications. The study, which compiled data from security vendors TippingPoint and Qualys as well as from with the SANS Internet Storm Center, found that about 80 percent of network vulnerabilities occur in Web and other applications. Yet organizations patch operating systems about twice as fast as they do applications, the report found.
Researchers from SANS and elsewhere emphasize that companies should be improving application patching and using common security tools, such as penetration testing and application scanning. Companies should also consider security methods such as source-code analysis.
Many attacks occur through opening e-mail attachments. Many more stem from end-users surfing sites that contain malicious code. Such code is exploiting vulnerabilities in common applications such as Adobe PDF Reader, Adobe Flash, and Microsoft Office. But it is also increasingly targeting custom-developed applications used for accounting, credit card processing, and human resources.
Forrester Research recently examined and compared eight common application security tools and strategies. Ranking the methods on factors such as cost, security potential, and overall business value, the Forrester report offers guidance to firms at varying stages of application security strength and expertise.
The report recommends two methods: penetration tests and application scanning. The former tries to exploit vulnerabilities by simulating attacks; the latter tests applications’ input and output for irregularities.
On the development side, firms should consider source-code analyzers, says Chenxi Wang, the Forrester analyst who authored the report. Finding coding flaws, implementation errors, and security vulnerabilities can be more effective before an application goes into production, she says. Analyzer tools, which can be expensive and complicated to use, are only rarely deployed in application development. But they can be especially valuable for use with custom applications, she says. Organizations should try to make such scanning part of the development process.
Web application firewalls (WAF) also hold significant security potential, she says. They offer strong visibility into a Web server’s input and output. But they are relatively expensive and challenging to run. Consequently, companies have not rushed to deploy them. Wang says WAF as a security as a service offering holds strong adoption potential because it might make this option less costly.
Significantly beefing-up application security could take more than tools, however, says Alan Paller, director of research at SANS. In many organizations, there’s a lack of clear security responsibility, or ownership, of applications, he says. Although IT managers often control operating systems and other security areas, they tend to have far less oversight over applications, he says. Many applications are ordered and largely managed by individual departments and business units.
A company CIO, with the CEO’s support, might work to retake the responsibility, he says. Such duties could also fall on business unit heads. Security tools aside, companies may need to better align application security with the firm’s broader security goals.