Application Security does not have a silver bullet. No single solution or approach will protect an organization from being vulnerable to attack. Listening to the mindset of DevSecOps, “everyone is responsible for security”, organizations should ensure that they are focusing on security as part of each technology layer: perimeter, access, servers, open-source or third-party libraries, and custom application development.
As attackers continue to be inventive, the application security risk landscape remains ever-changing, and IT professionals are seeing an increase in attacks that are both relatively new (DDoS via Mirai Botnet) and tried-and-true (SQL Injections) threats. These real threats are costing businesses money from downtime, to fraudulent transactions, or to embarrassing data breaches.
However, typical approaches to security seems to be skewed towards the perimeter – not what lies behind it.
“84% of breaches exploit vulnerabilities in the application layer, yet the ratio of spending between perimeter security and application security is 23-to-1.” – Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)
With the historical lack of investment into application security, and perhaps fueled by recent announcements on cyber-attacks, IT organizations should have a renewed focus on security within the application and its components. CAST can help organizations reduce software risk and strengthen their application security:
- CAST Highlight can be used to conduct a rapid portfolio-level analysis to immediately discover common open source frameworks in your application and soon be able compare those to known vulnerabilities provided by the CWE.
- CAST Application Intelligence Platform (AIP) visualizes the current software architecture and provides an automated inspection to understand what elements connect to sensitive data structures. It identifies data call pathways that are safe and which are intrinsically vulnerable to attack while helping users understand what controls are needed to prevent common attacks and enforce new architectural constructs to keep the most sensitive data secure.
Whether you utilize solutions like CAST’s system-level analysis to build a software risk scorecard, or build your own security assessment, security should be at the forefront of application development. Protection is key, because attackers are not going to quit, so we can never let our guard down.