App Sprawl Fuels Need for Effective Application Security Risk Management

It’s becoming virtually impossible to escape mobile apps. As a consumer, every time you go shopping, attend a major event, post content to social media or listen to the radio, you’re encouraged to download new, customized applications from content providers. Similarly, customer demand for new or updated functionality has shortened software release cycles and led to an explosion of software-based games, fitness applications and quickly evolving versions of popular social media content.

As a result of this market reality, organizations need to rapidly introduce new applications in order to outpace competition and meet customer demand. Gartner predicted that by 2017, market demand for mobile application development services will grow at least five times faster than internal IT organizations’ capacity to deliver them.

AppSec Risk Management Evolves From ‘Nice to Have’ to Mission-Critical Requirement

In the legacy environment of longer release cycles and less frequent updates, organizations could treat application security risk management as a nice-to-have element. However, the current explosion of new applications has made application security risk management a mission-critical requirement.

Consider the following statistics:

  • According to IBM X-Force Data, 28 percent of overall vulnerability disclosures in 2015 were targeted at Web applications.
  • It’s been reported that at any given time, malicious code infects more than 11.6 million mobile devices. To put that figure into perspective, it’s roughly equivalent to the population of Ohio.
  • A 2015 Ponemon Institute report, sponsored by IBM, found that 50 percent of companies have zero budget dedicated to mobile app security.

To spotlight this growing area of potential risk, a new study from IBM and Ponemon Institute surveyed application security professionals to determine their effectiveness at managing application security risk. The results revealed several eye-opening trends related to how organizations are approaching application security and why many approaches are falling short.

Application Expansion and Rush to Release Have Increased Security Risk

It’s no surprise that pressure to release apps quickly has been a leading cause of security missteps. Our latest survey results revealed that many organizations don’t address the problem effectively.

  • 56 percent of respondents said their organizations are influenced by pressure to release new apps quickly. App developers are primarily focused on business value, user experience and addressing inconveniences that apps seek to resolve. As a result, many developers miss big-picture implications of applications beyond the apps’ core purposes, as well as potential headaches such as security vulnerabilities.
  • 35 percent of respondents said their organizations do not perform any major application security testing methods prior to application deployment. Application security testing permits organizations to address potential application vulnerabilities by remediating them prior to release. The survey indicated that basic security steps like these are often neglected even though they represent a critical development life cycle requirement.

Download Ponemon Institute’s 2016 Application Security Risk Management Study

Organizations Struggle to Manage Applications Currently in Production

While the rush to release is creating a flood of new apps with questionable security protection right out of the starting gate, perhaps an even bigger concern is what happens to those apps once they’ve been deployed.

Among the most alarming findings of our study, respondents admitted that their organizations are struggling to keep tabs on apps they currently have in use, let alone secure them.

  • 69 percent of respondents didn’t know all the apps and databases currently active in their organizations. Unfortunately, the 69 percent figure isn’t a misprint. Development teams are frequently unable to keep tabs on apps that have already been deployed or fully digest potential risks that have been introduced into corporate systems.
  • About 48 percent of respondents said their organizations don’t actually take basic security measures to remediate vulnerabilities. How can organizations protect their applications when they don’t even engage in basic security measures such as dynamic application security testing (DAST), static application security testing (SAST) and interactive application security testing (IAST)?

We anticipate that these issues will continue to present more significant challenges as a growing number of apps are introduced and others require more frequent updates.

Break the Rush-to-Release Cycle and Secure Your Expanding App Infrastructure

While the picture painted by the recent survey results are grim, there are simple steps that organizations can take to break the rush-to-release cycle and secure their growing application empires. In a nutshell, organizations need to move from a whack-a-mole approach of fixing applications one at a time to a more strategic risk management framework.

Here are a few steps IBM recommends to get you started.

1. Get the Full Picture

  • Coordinate with other divisions and geographic regions to determine which apps are actively being utilized throughout your organization. Maintain a list of the applications, update it on a regular basis and track your remediation progress.
  • Determine which apps are past their support life spans and find out how you’re protecting them.
  • Conduct an inventory of applications that are still active but not used or monitored. In most cases, their end of life should be determined immediately and user access should be terminated.

2. Unify Practices

According to the study, 65 percent of sampled respondents said their organizations have fragmented security practices carried out at low levels in the organization.

We recommend the following actions to better unify application security across the enterprise:

  • Educate executive management about security risks associated with the expansion of application usage. Demonstrate how a potential breach of a critical application could significantly impact your organization’s brand image and its bottom line.
  • Select a division within your organization that effectively manages application security and incorporate its best practices into businesswide educational programs. Spotlight areas where that division has reduced costs or significantly lowered the potential impact of vulnerabilities.

3. Staff Up

The survey found that 70 percent of respondents believed they didn’t allocate sufficient resources to ensure business-critical apps are kept secure.

You should:

  • Invest in security training for your app development teams and leverage automated application security testing solutions such as IBM Security AppScan to permit developers to test applications quickly, efficiently and independently.
  • Take time to assess which of your applications are truly mission-critical crown jewels. Examples of crown jewels could be privileged finance, customer relationship management (CRM) and e-commerce applications. Focus on protecting those applications first and target remediation efforts on the most significant vulnerabilities in those applications.
  • Reframe executive management’s mindset by educating them on potential costs associated with security breaches. Following that approach will remind them that effective security protection is way more than a cost center.

4. Get a Handle on Vulnerabilities

In the study, 46 percent of respondents confessed that growth in security vulnerabilities prevents their security posture from being effective.

We recommend the following actions:

  • Utilize application security testing technology that ties into evolving threat data, which will permit you to become more effective at remediating high-priority app vulnerabilities.
  • Learn more about IBM’s Cognitive Intelligent Finding Analytics capabilities. This dramatically reduces the number of testing results that you need to manage after conducting noisy SAST analysis, which produces a high volume of vulnerability findings.
  • Working in conjunction with your management team, decide which risks are too inconsequential or unlikely to have a significant impact on your business. You may wish to accept those app risks.

In summary, only when organizations assess the full scope of their application security preparedness can they begin to prioritize and reduce risks that are introduced by rapidly growing application infrastructures.

For Additional Information

Download the full Application Security Risk Management Study from the Ponemon Institute.

You can also download a complimentary copy of Ponemon Institute’s more recent “2017 State of Mobile & Internet of Things (IoT) Application Security” study.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today