Application Security does not have a silver bullet. No single solution or approach will protect an organization from being vulnerable to attack. Listening to the mindset of DevSecOps, “everyone is responsible for security”, organizations should ensure that they are focusing on security as part of each technology layer: perimeter, access, servers, open-source or third-party libraries, and custom application development.
As attackers continue to be inventive, the application security risk landscape remains ever-changing, and IT professionals are seeing an increase in attacks that are both relatively new (DDoS via Mirai Botnet) and tried-and-true (SQL Injections) threats. These real threats are costing businesses money from downtime, to fraudulent transactions, or to embarrassing data breaches.
However, typical approaches to security seems to be skewed towards the perimeter – not what lies behind it.
“84% of breaches exploit vulnerabilities in the application layer, yet the ratio of spending between perimeter security and application security is 23-to-1.” – Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)
With the historical lack of investment into application security, and perhaps fueled by recent announcements on cyber-attacks, IT organizations should have a renewed focus on security within the application and its components. CAST can help organizations reduce software risk and strengthen their application security:
Whether you utilize solutions like CAST’s system-level analysis to build a software risk scorecard, or build your own security assessment, security should be at the forefront of application development. Protection is key, because attackers are not going to quit, so we can never let our guard down.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.