Why Are Organizations Not Taking Extra Measures to Protect all their Web Applications?
In a recent survey of security executives, over 70 percent of respondents acknowledged that they are testing less than 10 percent of their Web applications. In the same survey majority of them also confessed that they had been hacked at least once in the last two years. I have heard similar responses in my conversations with various companies. While most large companies have started to test more and more of their applications for vulnerabilities, we have a long way to go. You are as strong as your weakest link and in this case it’s your weakest and vulnerable applications.
Hackers believe in equal-opportunity and would attack any application that has security weaknesses in them. Let’s say you have 100 Web applications and you are only testing 10 of these and fixing vulnerabilities. Although it’s better than not testing at all, the problem is that hackers will exploit one of the other 90 Web applications and once they are in your infrastructure they’ll figure out a way to get to your other applications as well. Using an analogy, if you go to a Doctor for a check-up and find out that four of your arteries are somewhat blocked, the Doctor will immediately ask you to get a Quadruple Bypass Surgery. You can’t just have one artery cleaned and hope that things will turn out ok.
So why is it that in spite of all the risks, organizations are not taking extra measures to protect all their Web applications? In talking to various security professionals and in our recent surveys, here are some of the most common reasons we get:
Limited Budget: There’s just not enough money in the budget to test all applications. Whether it’s additional headcount or technology needed it costs money and most organizations have not set aside enough. We certainly found this to be true in our survey where most respondents said their coffee budget was bigger than their application security budget!
Limited Expertise: Application security is still not a mature science and there are very few people out there who really understand application security.
Compliance Driven: PCI and other standards have traditionally only required external facing applications although PCI 2.0 has expanded the scope to include internal applications as well. Most organizations are driven by compliance and unfortunately not security. So the focus is only on these applications that help them get compliant and all the other applications are for the most part ignored. And, in reality the situation is even worse than that. The applications that are assessed for security, in many cases, are tested only to get a checkbox for compliance and not necessarily to make sure that they are secure.
Misconceptions: Lack of adequate knowledge can be dangerous. This is certainly true in case of application security where there are many misconceptions. One of them is that companies shouldn’t worry about all their Web applications. For example, why would you want to test your internal applications that have no external interface? Those are secure, correct? Wrong. Think of insider threats. If you have an internal Human Resource application with a ton of confidential information about your employees including health records, their compensation, performance metrics etc. Now, let’s say one of your less-than-ethical employees logs in as a user and exploits a privilege escalation vulnerability to give himself admin rights. Voila! He has access to all the confidential records and you are in non-compliance with various standards.
While these are all legitimate reasons, a breach won’t allow you to use these with regulatory bodies or with your customers in protecting your brand. And, it’s not that hard to protect yourself. Here are a few recommendations to do a complete heart surgery and get rid of all toxins:
– ROI and impact of hacking: Various studies show that one breach can cost millions of dollars. According to research from Forrester and The Ponemon Institute, the average cost per record in the case of a breach is at least $300. Most companies have thousands of records. And over 75 percent of attacks are occurring through Web applications. The math is quite simple. Show this math to your executives and not just the CIO and the CISO, but also Business Line Managers, CFO, CMO, and the CEO. Can they afford even one breach?
– Outsource: You don’t have to do everything yourself. There are reasonable solutions available as a managed service and a cloud service to help you secure your Web applications quickly and affordably.
– Process for testing all applications: Not all applications are created equal. You can cut down your costs by creating a pyramid of all your apps. Yes, the first step is to find out what applications do you have. Now run a basic healthcheck type of test on all of these applications and based on what you find out you can prioritize applications that need deeper testing. This way, you’ll get a coverage on all your applications without spending a fortune and taking many years. Automated solutions and a good process can help you get there quickly.
– Manage your risk: You will find hundreds of vulnerabilities in your Web applications. Guaranteed. And, you won’t have time to fix them all. Take a risk management approach and prioritize these vulnerabilities based on a quantitative score. The ones with the highest score i.e. most likely to be exploited on applications that are most sensitive should be addressed first and right away. All the other ones should be blocked with a Web Application Firewall (WAF) or other methodologies.
The bottom line is that any breach can have a severely adverse impact on your bottom line. Web application vulnerabilities are low hanging fruits for hackers and they would rather pick these rather than going for the harder stuff. Hacking, unfortunately for the rest of us, has become a lucrative profession, and hackers will continue to attack you to earn their living. Whether it’s for financial exploits, to steal intellectual property, or for cyberwar and cyberterrorism, hackers will continue to fire shots until they penetration. In this case, we can’t fire back at the enemy, and we can’t be 100 percent secure, but we can certainly raise the walls of our castle to thwart their attempts.