[BreachExchange] App security: The most overlooked cybersecurity measure

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 3 19:03:38 EST 2016


http://www.itproportal.com/2016/03/03/the-most-overlooked-cybersecurity-measure-app-security/

It’s hard to imagine how we’ve ever lived without apps. Whether it’s for
work or for play, apps are becoming invaluable in the information they can
supply us and the entertainment they can grant us. But app security is
something not a lot of people consider when they install a new program or
download a game.

And this is exactly what hackers are hoping for – that you’ll overlook the
fact that you’re potentially opening a back door to all of your personal
and sensitive information. That app may have given you a few minutes of
fun, but the breach of your data could have long-lasting consequences.

As a business owner, your company’s cybersecurity should be of the utmost
importance. So how do you prevent hackers from gaining access through
application security breaches? The answer is education – both for yourself
and your staff. Cybercriminals are always looking for ways to take
advantage of the system, so be sure you know where and how to stop them
before they can get in.

Why app security is crucial

Businesses both large and small know that any sort of digital presence
needs the proper cybersecurity. A leak of sensitive information or
financial data is any company’s worst nightmare, and it feels like more and
more stories about credit card hacks are popping up in the media every
year. You can guarantee that the affected businesses put at least some
effort into protecting their online assets – but one area they might have
missed was the security of the applications they use.

‘Organizations spend somewhere between 45 and 50 billion dollars on
security but [a] very small percentage is focused on applications,’ says an
article at Forbes. The article also notes that eighty four per cent of
cyberattacks happen on the application layer – a number that’s
uncomfortably high, especially if you’re suddenly wondering just how good
your application security is right now. The article goes to on quote Rik
Turner, senior analyst on Ovum’s Infrastructure Solutions Team, as saying,
‘You can go online, find a little piece of software that’s been used many
times before, make a couple of little tweaks in it so that it performs
differently making it very difficult to detect when it’s doing its
mischief, and away you go.’

Are you creating your apps in-house?

It could even be something as seemingly innocuous as a flawed app design.
If your company chooses to create an app in-house, there’s a greater chance
that you’ll be able to be hands on in the design and maintain quality
control over the source code. However, if you leave app programming to an
outside vendor, you might be opening a window to hackers – sometimes
intentionally, sometimes not.

‘With time-sensitive schedules, developers are also likely to assemble
applications from hybrid code — obtained from a mix of in-house
development, outsourced code, and third-party or open-source libraries,’
explains an article at MIT, ‘During this mash-up process, critical
vulnerabilities can be copied, overlooked, and implemented into production
code.’ So even if the app designers didn’t mean to create vulnerabilities
in the code, it’s all too easy to miss a step, especially when under
pressure to deliver – and that’s exactly what hackers are counting on.

How to prevent app hacking

As mentioned above, when you’re the business owner, ensuring that
application design is thorough and complete is an absolute must. The moment
that you push out an app with vulnerabilities is a moment that can wreck
your company’s reputation, and potentially lose consumers’ trust in your
brand. If you’re looking to hire outside vendors to design an app for your
business, be sure to thoroughly research past work, ask to see portfolios,
and gather recommendations from colleagues. It’s best to choose app
designers you trust – and ones that will take the time to do a meticulous
job rather than a piecemeal one – in order to get a quality product.

Consistent application evaluation is also key to ensuring that all
potential holes are patched up. A piece on web application security at
eSecurity Planet points out that performing tests on applications to find
security flaws was highly successful: ‘Feeding vulnerability results back
to development teams through established bug tracking or mitigation
channels was the activity that yielded the best result across the three key
metrics… Organizations that did this reported 40 percent fewer
vulnerabilities than the average, fixed them nearly a month faster and
increased remediation rates by 15 percent.’

The article continues to say that communication between teams is vital to
preventing cybersecurity problems, particularly when it comes to
development and security teams.

As for those two teams, when you’re the business owner, it’s valuable to
keep both your developers and security aware of the most up-to-date risks
and flaws in applications. The eSecurity Planet piece uses the examples of
content spoofing, fingerprinting, and cross-site scripting, noting that
although instances of those risks were high ten years ago, now that teams
are aware of the problems, they’re showing up less and less.

More awareness means less vulnerability, so make sure your team has access
to the most current risks – and fixes – associated with application
security. It’s worth passing along OWASP’s Top 10 list of coding
vulnerabilities that should be tended to, including security configuration,
cross-site request forgery, and unvalidated redirects and forwards, among
others.

With so many areas of business at risk of cybercrime, it can be easy to
overlook even the smallest of vulnerabilities. But all it takes is one
faulty application to create the perfect back door entrance for hackers,
and before you know it, your company and brand are tarnished by a security
breach. Whether you’re pushing out an application that was created in-house
or via outside vendors, make sure you’ve got all your bases covered with a
strong, secure build and a reliable team behind it. It could spare you a
potential disaster down the line.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160303/547655f1/attachment.html>


More information about the BreachExchange mailing list