It's time we give application security the attention it requires. All IT organizations need to address application security. It doesn't matter if you develop applications in-house or buy third party-developed applications.
According to the Ponemon Institute's recent Application Security in the Changing Risk Landscape report:
- The frequency and severity of application layer attacks is greater than network layer attacks.
- Network security is better funded than application security.
This may sound backward, and it is! The investment in network security heavily outweighs application security.
Here are the key application security questions IT organizations should consider:
- Are you centrally patching all third party applications on a routine basis? Commonly targeted applications (e.g. Adobe Reader, Java Runtime, Firefox, etc.) are most critical to update and can give the attacker a backdoor into your network.
- Do you routinely test your applications (e.g. mobile apps, web apps) for security flaws? Keep in mind, applications change over time, and periodic testing should be performed.
- For third party-developed applications, do you evaluate the security practices of the software providers? Not all vendors treat your data with the same level of security. You need a repeatable process to evaluate the security posture of software vendors and other third parties that present a risk to your organization.
- If you develop software in-house, do you utilize secure development practices in all phases of the software development life cycle? Do you train developers on secure coding practices?
- Are application logs retained for a reasonable period of time and protected from tampering?
- Does your information security team have application security expertise? If not, can you partner with a security provider that can provide this expertise?
What application security challenges does your organization face?