Discover PerformanceHP Software's community for IT leaders // March 2013
Closing the app gap on risk
The cloud and mobility make enterprise applications harder to secure than ever. But where the cloud creates a challenge, it can also help create a solution.
The enterprise application has evolved significantly over the past 10 years, as has the way that applications are delivered and consumed—but is enterprise security keeping up? When applications change, your protection strategy has to evolve, too. And the enterprise application of today is significantly different than that of even five years ago, leaving many organizations with a protection gap.
First, tablets and mobile devices started the mobile rush. Then, as the benefits of cloud computing became clear, the push to cloud applications changed the game yet again. Today, enterprises have on-premise, cloud, and mobile applications that are sometimes delivered by the enterprise, and sometimes simply show up, which pushes the need for enterprise application security into hyperdrive.
The application ecosystem at a typical organization today includes third-party mobile apps, corporate-sanctioned SaaS apps, custom apps built by partners, and homegrown, in-house apps—and everything in between. As a result, the threat landscape is growing and shifting at a time when few organizations have resources or budget to spare, leaving many applications underprotected.
Many organizations are drowning in technical debt from more applications than their internal software security programs can handle. Many of these enterprises are turning to cloud services for support. With the support of SaaS-based software security partners, the enterprise can focus on those applications that are critical to core business. The first step, though, is to identify that there is a gap.
Tackling the risk continuum
Because enterprise applications vary so widely, a one-size-fits-all security strategy is pretty much doomed. Each application falls on a continuum between “low risk” and “high anxiety.”
Generally speaking, relatively new applications that have undergone some sort of software security review are at significantly lower risk than those that may not be considered legacy code. Newer applications are usually built using modern technologies and techniques, with security “accidentally” built in. Legacy applications, though, often don’t even have source code or specifications available and are nothing more than a black box. You’ll find higher risk with apps that offer less transparency and over which you have less control.
End-to-end security means developing a range of approaches for different stages of the risk continuum. With a web application that you built, you can use a security tool to quickly assess risk and find vulnerable areas. But with a cloud-based app that gives you no access to source code or the ability to fix security issues, your best bet is going to be a flexible SaaS solution that can assess the security of the app without requiring expertise or source code from you. You'll need to make the most of every security tool you’ve already got, diagnose gaps that still persist, and decide on the best approach to close them.
Whether you then decide to do a full source code and comprehensive dynamic review of the application, or to simply front-end the application with a filtering device like a web application firewall (WAF), the risk decision comes down to available resources and risk level, and criticality of the application to your business.
Holes: Find ’em, fill ’em
Start, as we discussed in our November article, by assessing your existing security tools’ capabilities—including functionality you haven’t tapped yet. This works best in enterprises with an existing software security program whose tools can be used to supplement and empower the developer and tester alike. After assessing your current capabilities, figure out what remains uncovered. With a clear understanding of where you still have holes, you can determine what you need from solutions. Some factors to consider:
- Security needs are rarely static, so weigh how much you’ll need your solution to scale up. Understanding your organization’s development cycles, styles, and capabilities is the critical first step to determine how much scalability you’ll need for cyclical usage spikes, ramped-up development periods, etc.
- Needs that are infrequent or that are low-level (except when they aren’t) mean finding solutions that scale down, as well. You can’t spend on in-house resources, staffing, and training for a problem that rarely comes up.
- Determining whether you have the optimal staffing (educated, motivated) resources is critical because you don’t want a team of .Net experts having to review that outdated Java behemoth that comes up for code maintenance once a year.
- The threat landscape is evolving rapidly and the number of attacks is increasing, so test frequently. Just because you got a clean bill of health on your app last month doesn’t mean you can rest.
Don’t hesitate to get outside help, and start with your favored vendors. The right partner will provide not just a simple list of vulnerabilities in your application, but rather a holistic discussion on risk, remediation, and software quality improvement. Remember, security is just one component of the software quality three-legged stool (performance, functionality, security). An Enterprise Strategy Group survey that separated security leaders from laggards found that 42 percent of the leaders hire third parties to test the security of internal software, while only 16 percent of laggards do so. And for external provisioning, a report from Gartner estimates that by 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service—up from 1 percent today.
In addition to outside expertise, look for cloud-based tools that can cover specific security gaps without excessive capital outlay. Budget, time, and expertise are always in short supply, but the right SaaS or cloud solution can still cover the necessary ground. Our increasing reliance on cloud, mobility, and Saas is making software protection more difficult, but there are strategies that can help.
To learn more about software security delivered in the cloud, check out HP Fortify on Demand.