There was a time when every application used in the enterprise application portfolio was either selected and deployed by the chief information officer (CIO) or at least vetted under the management of IT. The advent of software-as-a-service (SaaS) computing options led to the rise of shadow IT, which has allowed individuals to make their own decisions about what applications met the needs of their departments.

Today the practice has morphed to a somewhat more controlled version in which departments still exercise relative autonomy because they control their own IT budgets. This trend has put distance between the CIO and the enterprise application portfolio.

Securing Your Application Portfolio

As applications become more specialized to support highly targeted functions, they are also increasingly connected to other applications and datasets in the enterprise. That means the marketing automation system that maintains sales-related data likely accesses product information from supply chain systems and customer data from accounting systems. The connections simplify and accelerate operations. Without adequate oversight and control, however, they can open channels for possible data breaches.

Departments that operate their own applications may understand them well, but they likely lack the technical abilities or authority to validate the level of security as applications connect, as demonstrated by a recent Positive Research Center study. All applications reviewed in the study contained “at least medium-severity vulnerabilities,” while 70 percent had a critical vulnerability. The study noted that the trend had increased steadily over the last three years.

The testing employed automated tools that didn’t require any specific understanding of the target applications, meaning data thieves are able to send their penetration tools across a wide range of enterprises and applications attempting to gain access. Once the tool finds an opening, it can exploit the breach and notify the attacker of the opportunity.

An Arxan Technologies study of applications approved by the U.S. Food and Drug Administration (FDA) found similar vulnerabilities. According to the report, 84 percent of the FDA-approved apps tested failed to address at least two of the Open Web Application Security Project (OWASP) top 10 mobile security risks. Furthermore, 95 percent of those apps lacked binary protection.

The CIO’s New Mandate

Security must be assured for every application in the enterprise portfolio, and that level of responsibility rests at the top of the enterprise IT organizational chart. Attaining an adequate level of assurance on the security of applications is the new mandate for CIOs as data centers and infrastructure control continues to move away from internal to cloud-based systems.

The CIO must become familiar with the entire range of applications being used throughout the enterprise. Moreover, the security leader should be involved at the initial stages of application selection and evaluation to ensure that departmental decisions made to improve functionality don’t open gateways for attackers.

Learn More

To learn even more about the latest Application Security Testing technology trends from Gartner Research, you can also read the “Automation and Integration Critical to Application Security Tool Adoption” report.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read