{"id":9596,"date":"2015-10-13T10:44:50","date_gmt":"2015-10-13T15:44:50","guid":{"rendered":"http:\/\/www.mrc-productivity.com\/blog\/?p=9596"},"modified":"2023-03-13T16:17:32","modified_gmt":"2023-03-13T21:17:32","slug":"5-reasons-why-businesses-still-struggle-with-application-security","status":"publish","type":"post","link":"https:\/\/www.mrc-productivity.com\/blog\/2015\/10\/5-reasons-why-businesses-still-struggle-with-application-security\/","title":{"rendered":"5 reasons why businesses still struggle with application security"},"content":{"rendered":"

\"Education\"Summary: As cyber attacks increase and become more sophisticated, businesses should be doubling down on their application security. Yet, application security still lags behind. Businesses are not only still developing unsecure applications, they’re building applications with widely-known vulnerabilities. Why is security still such a big problem, and how can you address it?<\/em><\/span>
\n<\/a><\/p>\n

\"photo
photo credit: JavadR<\/a> via pixabay<\/a> cc<\/a><\/figcaption><\/figure>\n

Let me ask you a question: Which aspect of your business systems do you think hackers target the most? As mentioned in this article<\/span><\/a>: \u201cAccording to numerous studies, the preferred method for attacking businesses’ online assets is via their Web applications.\u201d<\/p>\n

Why do hackers target web apps? Because they are commonly built with known vulnerabilities–giving attackers an easy way into a business.<\/p>\n

A recent report<\/span> found that 86 percent of web applications tested had serious issues with authentication, access control, and confidentiality. What\u2019s worse, 52% of web applications suffered from commonly-known vulnerabilities, like Cross-Site Scripting, SQL Injection, and others.<\/p>\n

These findings are downright scary. Businesses aren\u2019t even protecting their applications against the most common threats. For a decade now, threats like Cross-Site Scripting and SQL Injection have taken the top spots in the OWASP Top Ten list<\/span><\/a>–a listing of the most critical web app security flaws. What\u2019s more, they\u2019re not that hard to fix.<\/p>\n

Consider those facts<\/strong>: Most business web applications suffer from widely known, yet preventable security vulnerabilities. They are not new threats–being listed as a top security threat for over 10 years running. These threats can cause irreparable damage to a business.<\/p>\n

Why does this keep happening year after year? Why do businesses keep creating applications containing known (and dangerous) vulnerabilities? How can your business address these issues? Today, let\u2019s explore those questions. Here are a few common reasons why businesses still create unsecure applications:<\/p>\n

1. Web application security is nobody\u2019s job<\/h3>\n
\"photo
photo credit: geralt<\/a> via pixabay<\/a> cc<\/a><\/figcaption><\/figure>\n

Businesses often approach development with a false assumption: Good developers understand security, and build it into their applications. To a certain extent, that\u2019s true. Developers should understand the basics of building a secure application.<\/p>\n

But, you can\u2019t expect a developer to be a security expert. It\u2019s an unfair assumption, considering their job description centers around development. They get hired to build applications. Can they possibly compete with hackers who spend all of their time trying to attack web applications? Of course not. They may understand the basics, but they don\u2019t have the time to keep up with every aspect of security.<\/p>\n

\u201cApplication developers are rarely (never?) hired because of their security expertise,\u201d says Julien Bellanger, CEO of Prevoty<\/span><\/a>. \u201cThey are hired to deliver new applications and new functionality. In order to attempt to stay ahead of hackers, security professionals need to spend a lot of their working lives monitoring the \u201cstate of the art\u201d in terms of publicly available knowledge around vulnerabilities. It takes a thief to catch a thief. Developers were not hired to do this, they don\u2019t have the time to do this and their skill sets are not best placed to implement mitigations against complex attacks.\u201d<\/p><\/blockquote>\n

2. Management places little focus on security<\/h3>\n

Peter Drucker is famously quoted as saying, \u201cWhat is measured improves.\u201d The problem for many developers: Security isn\u2019t measured. They don\u2019t get measured or rewarded for creating secure applications.<\/p>\n

It\u2019s a great question to ask yourself: What are we measuring? What is our reward structure? If you judge and reward your developers on how quickly they work, but not on security…what do you think will happen? Developers will recognize that management places little emphasis on security, and will follow the lead.<\/p>\n

\u201cSecurity takes time and money and in most organisations it\u2019s at the bottom of the priority list,\u201d says Andreas Heiberg<\/span><\/a>, Senior Developer at UpDownLeftRight. \u201cWhen deadlines are slipping and money is tight it\u2019s easy to skip vigorously testing and over architecting your system.\u201d<\/p><\/blockquote>\n

3. Security takes a backseat to development speed<\/h3>\n
\n
\"photo<\/a>
photo credit: BenjaminNelan<\/a> via pixabay<\/a> cc<\/a><\/figcaption><\/figure>\n

\u201cIn my experience, working with large and small development organisations, the main reason behind this is the rush to be first to market,\u201d says Taz Wake CPP CISSP CISM CEH CRISC CCISO CCSK, Security Director at Halkyn Consulting Ltd<\/span><\/a>. \u201cThe business driver is for applications to be developed quickly, before a competitor can produce one, and then deployed to the user community. This speed to market, combined with downward pressure on costs, often leads to developers reusing the same code blocks so mistakes keep turning up. On one client engagement we discovered that the developers were simply searching github and google code for everything and using it without making any changes – even when the code had been posted to ask for help fixing a problem.\u201d<\/p><\/blockquote>\n

This problem stems from the issue mentioned above. What are you measuring? Businesses frequently place greater importance on other areas of development (like speed), forcing security to take a backseat. How common is this problem? As mentioned below, a recent survey found it affects 70% of developers.<\/p>\n

“Agile development methodologies have become almost standard for enterprise application development and business requirements are driving more rapid application releases,\u201d says Bellanger. \u201cThis means that the time required to fix all identified vulnerabilities is often short and sometimes non-existent. We surveyed over 200 application developers on this very topic and found that more than 70 percent admitted that business pressures to release application updates often overrode security concerns.\u201d<\/p><\/blockquote>\n

4. The business doesn\u2019t invest in proper training<\/h3>\n
\"photo
photo credit: jarmoluk<\/a> via pixabay<\/a> cc<\/a><\/figcaption><\/figure>\n

The security landscape constantly evolves. Developers need regular training, just to keep up with best practices. Without it, they can\u2019t possibly stay on top of security changes, while handling their development responsibilities.<\/p>\n

The problem: If business leaders don\u2019t grasp the importance of security, they won\u2019t devote resources to proper training. Without a mandate for training that comes from leadership, developers will focus their efforts on meeting their daily demands–while falling more and more out of touch with security.<\/p>\n

\u201cThere are many security problems that continue to permeate the application development arena,\u201d says Max Aulakh, Chief Security Architect at MAFAZO: Digital Solutions<\/span><\/a>. \u201cThe primary being lack of training that targets developer behavior change. We are teaching about how to do bug changes, create threat models and yet fail to address impact to the business that developers get and understand so it\u2019s in their best interest to build a secure application. This has to come from leadership down in the form of training and it\u2019s NOT best done via power point slides. This is fundamental to building secure applications more so than any process or software you could purchase.\u201d<\/p><\/blockquote>\n

5. Application development gets treated as a one-time project<\/h3>\n

The security landscape is constantly evolving. New threats emerge on a daily basis. Software vendors regularly release patches to cover new security flaws.<\/p>\n

The problem is, development is often looked at as a one-time project. Once the application is completed and delivered, it\u2019s on to the next one. But, who is in charge of keeping existing applications secure? Who is in charge of keeping frameworks and libraries used in an application up to date? If you don\u2019t know, the answer is probably \u201cno one.\u201d<\/p>\n

\u201cA business building its own apps usually treats it as a one-time endeavor,\u201d says Tsahi Levent-Levi, Consultant and Analyst, Founder of BlogGeek.me<\/span><\/a>. \u201cOnce the app is complete and launched, little is done to improve and maintain it beyond the basics. Security threats are an ongoing issue – one you need to deal with continuously, so unless the app in question is core to the business itself (i.e – makes direct money as opposed to being supportive to the business itself), little will be done to actively find and fix these security issues.\u201d<\/p><\/blockquote>\n

Summary<\/h3>\n

Now, I realize this list of challenges might seem daunting to those exploring mobile apps for the first time. But, don’t let it scare you. Hopefully this article helps prepare you for the journey, and gives you a good idea of what to expect. If you would like to add anything to this list, I\u2019d love to hear it. Feel free to share in the comments.<\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: As cyber attacks increase and become more sophisticated, businesses should be doubling down on their application security. Yet, application security still lags behind. Businesses are not only still developing unsecure applications, they’re building applications with widely-known vulnerabilities. Why is security still such a big problem, and how can you address it?<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","slim_seo":{"title":"5 reasons why businesses still struggle with application security - mrc's Cup of Joe Blog","description":"Summary: As cyber attacks increase and become more sophisticated, businesses should be doubling down on their application security. Yet, application security st"},"footnotes":""},"categories":[8],"tags":[71],"class_list":["post-9596","post","type-post","status-publish","format-standard","hentry","category-education","tag-security"],"_links":{"self":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts\/9596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/comments?post=9596"}],"version-history":[{"count":9,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts\/9596\/revisions"}],"predecessor-version":[{"id":14689,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts\/9596\/revisions\/14689"}],"wp:attachment":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/media?parent=9596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/categories?post=9596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/tags?post=9596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}