October 5, 2016 By Denis Kennelly 3 min read

In the current world of cloud and agile development, we deliver code monthly, weekly and even daily. One of my engineering teams at IBM affectionately refers to updates as the “daily dose.” We have developed robust processes to ensure that these updates are seamless and impact production minimally.

But one of the major challenges is ensuring that security vulnerabilities don’t creep into the process. Application-layer protection is difficult at DevOps speed. It’s physically impossible to perform penetration testing on every daily update. Much to our chagrin, customer penetration tests have found security vulnerabilities even in our carefully managed code because the application security tooling and processes didn’t keep pace with the demands of rapid development.

The Key Under the Mat

Sound familiar? We’re all under pressure today to put as many services online as quickly as possible to meet customers’ demands for convenience, speed and ubiquitous access to data and systems. But in the process, we may putting bars on the windows and deadbolts on the door while leaving a key under the mat. The ongoing need to deliver capabilities faster and adopt agile methodologies like DevOps threatens to greatly increase our exposure to application security vulnerabilities.

Yet application security commands a curiously low level of investment by IT organizations. The SANS Institute’s recent “IT Security Spending Trends” survey named application security just the 14th-highest spending priority related to IT security, behind such categories as network security and email protection. This is despite the fact that applications typically interact directly with the back-end database and account for 32 percent of security compromises, according to the Ponemon Institute’s “State of Application Security Risk Management Report,” ahead of network, human negligence and data.

Inside the organization, our applications are protected by firewalls, authentication servers and VPNs. Once we put them on the web, however, we essentially lay out a welcome mat. Attackers can enter through the front door via ports 80 and 443 to launch their anonymous cross-site scripting or SQL injection attacks with impunity.

Startling Numbers

The Open Web Application Security Project (OWASP) estimated that about one-third of web applications contain security vulnerabilities. WhiteHatSecurity’s “2015 Website Security Statistics Report” put the figure much higher at 86 percent. Application-layer protection is the solution to these problems.

Injection attacks top the OWASP vulnerability list. The video demonstration below by Warren Moynihan, a member of the Ethical Hacking Team at IBM Security Systems, shows how easy it is for an intruder to launch an injection attack on a banking application. Legacy applications, such as those used by banks, are particularly prone to compromise. But in the consumer banking world, if you’re not online, you’re out of business.

Why the Paradox?

Application-layer protection is often a low priority for IT organizations, despite the magnitude of the threat, for several reasons. For one thing, the concept is difficult to understand. It’s easy to wrap your mind around the idea of putting walls around the enterprise, but session management and cross-site scripting attacks are more difficult to understand, much less defend against.

The second reason is organizational. Developers are taught to code quickly and efficiently, but not necessarily securely. In fact, many developers view security as an unnecessary nuisance, something that is someone else’s responsibility. Injection attacks bypass the application entirely and compromise the database, introducing yet another level of organizational complexity. Application-level security thus becomes an orphan that nobody wants to own.

Additionally, we are all trying too hard to rush applications out the door. With DevOps gaining favor for its many productivity and speed benefits, businesses are sacrificing protection for the sake of production. That makes sense behind the firewall, but on the public web it’s a recipe for disaster. And the pressure to roll out applications faster is growing even more intense.

Simplifying Application-Layer Protection

One solution is inline applications scanning. This makes application-layer protection a simple step in the development process rather than an arduous chore. There are also solutions designed specifically for cloud applications that integrate into your DevOps tooling infrastructure.

As vendors, we owe it to our customers to take application security to heart. Our experience with customer penetration testing may have been a bit embarrassing, but it taught us a lesson that we won’t forget anytime soon — to integrate security scanning as part of our rapid development processes.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today