Tackling Application Risk Head On

There is no doubt that in 2013 we will continue to see mobile application risk increasing. As enterprises continue to allow personal devices into the corporate environment, we will see the quantity of mobile applications growing while the understanding of the risks associated with these applications will decrease.

As new, high-profile cyber attacks happen every day, companies large and small are at risk of compromising their data, their brand and their intellectual property. Furthermore, if the UK follows in the footsteps of the US where public companies are now required to disclose breaches, even greater emphasis will soon be placed on end-users securing applications as they will be publicly accountable for their failings.

After all, the most valuable information in the world is accessible online and it’s inevitable the companies housing this information will be targets for cybercrime. If you think “data breach”, you likely envision very smart computer science graduates hacking the network; when in fact today’s most prolific hackers are typically teenagers who haven’t even left secondary school yet.

And they don’t attack the network anymore – they go straight to the web browser, use free website scanning tools readily available online and look for vulnerable web applications. This is the latest entry point for this newest generation of hackers – poorly coded web applications that are littered with easy to exploit coding flaws like SQL injection and cross site scripting (XSS). Once the web app has been hacked the entire organisation’s database is vulnerable to attack.

Understanding the risks of the mobile application ecosystem will go a long way to mitigating the risk inherent in the rise of mobile devices. Knowledge of each mobile application’s capabilities and vulnerabilities as well as determining if malicious code exists will allow enterprises to accurately account for the level of risk each application carries. Mobile application acceptance policies should be created using an informed, holistic approach.

Enterprises should use a trusted 3rd party solution to provide the mobile application security intelligence required to make educated policy decisions about application security. Once the application risk is completely understood, security enforcement can be achieved by creating a white list of approved corporate applications. Using a third party solution, such as a MDM (Mobile Device Management) package, the enterprise should ensure that only safe and approved applications are used by the mobile workforce.

All enterprises assume some risk in using software sourced from vendors and suppliers. However, most enterprises assume unnecessary and unmitigated risk by accepting insecure vendor applications in their software supply chain. The average enterprise has 600 mission-critical applications in its portfolio, with around 65 per cent sourced externally as a result of the explosive growth of outsourced, cloud, and mobile apps. The result: a typical enterprise carriers the risk of more than 300 vendor applications.

According to a 2012 study by PWC up to 80 per cent of software sourced from third parties fails basic security testing, and even just one insecure vendor application is subject to exploitation by hackers putting the entire enterprise at risk of loss of data, revenue, and reputation. These findings further underline the huge risk posed from third party applications. As businesses continue to allow personal devices into the corporate environment, it is inevitable that mobile application risk will increase.

It is crucial that enterprises analyse the security posture of all vendor-supplied applications in their portfolio to speed audit compliance and meet policy requirements. However, internal IT vendor management and security teams are often overwhelmed by the scope of this problem and reluctant to expose source code for security testing. Traditional test methods can be laborious and may cover only a fraction of vendor software in use.

As a result, most enterprises have done little or nothing to mandate vendor compliance with security policies despite new Software as a Service (SaaS) and Cloud models available to help with this analysis. In order to safeguard a company’s most valuable asset, as well as to comply with stricter legislation around the world, it is essential that this must change.

To tackle these challenges, vendors must pursue a systematic course of action that partners with enterprises. Programmes are available that helps to facilitate this collaboration by providing trust and mutual assurance in the wake of increasing legislation to both the enterprises’ customer and the vendor for the security of the company’s vendor-sourced software portfolio.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Ed Jennings is responsible for creating and managing Veracode’s global, multichannel sales model. Jennings is a compliance business expert with 17 years of technology sales and marketing experience. Prior to joining the Veracode team, Ed served as DVP and General Manager at ADP. Before that, he was President and CEO of Copanion, where he established a voice in the tax and accounting industry, writing and speaking extensively on the technology required to automate the tax compliance space. His expertise in that space earned him the CPA Technology Advisor's coveted 40 Under 40 award in 2009. He has held senior positions at PTC, AT&T, Qwest Communications and Broderbund Software.