While you obsess over getting your apps to market and whether users will actually use them, something else is slipping past you: security. As you’re reading this, a hacker is setting off an automated scan of websites before going out for a cup of coffee—the time it takes to generate a long list of targets. The 10 most common vulnerabilities—well known by hackers—account for 85 percent of successful attacks.
Your web apps—you love them. They drive customer loyalty and boost employee productivity.
But can you trust them? No.
While you obsess over the time it takes to get your apps to market, how well they perform, and whether users will actually use them, something else is slipping past you. Security. The very apps on which you depend contain vulnerabilities that put your business at risk.
We’re not talking about subtle flaws that require super-sophisticated cyber-criminal techniques to exploit and wreak damage. Although such attacks make news, they’re not the most likely scenarios.
The very apps on which you depend contain vulnerabilities that put your business at risk.
No, this is about the very boring, run-of-the-mill vulnerabilities that hackers exploit literally on autopilot. As you’re reading this, a hacker is setting off an automated scan of websites before going out for a cup of coffee—the time it takes to generate a long list of targets. The 10 most common vulnerabilities—well known by hackers—account for 85 percent of successful attacks. Your business could easily be a victim.
Less than 40 percent of internally developed apps pass security requirements.
You wouldn’t leave your wallet unprotected. Why do the equivalent with your apps? There are three ways hackers can get you:
Your apps are insecure at the code level.
It’s a lot easier to train developers and prevent problems than fix defects once apps are in users’ hands. Yet few businesses practice secure coding.
One survey tested app developers on their understanding of basic security. The majority failed. That’s hardly surprising given that half had received less than one day of security training in their careers. Why so little training? Management typically funds other priorities.
You don’t identify app vulnerabilities in time.
It feels like a new zero-day vulnerability is identified every week. Although secure coding is a start, it’s not a panacea. Even with it, errors slip into apps. What to do? Find the vulnerabilities before the hackers do. This means testing, testing, testing.
According to Veracode, less than 40 percent of internally developed apps pass security requirements when first tested. Third-party developed apps fared even worse (only 28 percent passed). So test and fix. Rinse and repeat. A host of tools are available. On top of secure coding, vulnerability testing will reduce your risk substantially.
You don’t remediate known vulnerabilities quickly enough.
According to WhiteHat Security, more than half of businesses take 200 days or longer to fix security flaws, and two-thirds of them only remediate 40 percent of the vulnerabilities they identify. This amount of time—more than six months—is plenty of time for hackers to steal, expose, or corrupt sensitive data, tamper with your app, or do other damage.
The Best Strategy
Install a web application firewall (WAF) to buy time while you fix your apps. WAFs are hardware or software firewalls specifically designed for web traffic (HTTP/S) and web application exploit blocking. Many WAFs integrate with web-application-vulnerability scanning services to provide automated patching against your web application vulnerabilities. You may also subscribe to WAF-as-a-service to offload the considerable management burden of WAFs to a knowledgeable third party.
And one more thing…
Are you spending your IT dollars wisely? Public-facing web apps are the number one cause of breaches, according to the SANS Institute’s 2016 Report on Application Security. Yet more than half of enterprises (51 percent) spend 1 percent or less of their IT budgets on app security. Either that, or they don’t have a clue how much they spend.
This is sobering.
Your apps are on the front lines of the hacker wars. But by allocating sufficient budget to secure them, and addressing the above three steps, you’re on your way to reducing your overall risk.
Mike Convertino is F5 Networks’ first Chief Information Security Officer (CISO). Convertino brings to F5 nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide array of organizations including the U.S. government, Fortune 500 companies, and security start-ups.