BreachExchange mailing list archives
App security: The most overlooked cybersecurity measure
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Thu, 3 Mar 2016 17:03:38 -0700
http://www.itproportal.com/2016/03/03/the-most-overlooked-cybersecurity-measure-app-security/ Itâs hard to imagine how weâve ever lived without apps. Whether itâs for work or for play, apps are becoming invaluable in the information they can supply us and the entertainment they can grant us. But app security is something not a lot of people consider when they install a new program or download a game. And this is exactly what hackers are hoping for â that youâll overlook the fact that youâre potentially opening a back door to all of your personal and sensitive information. That app may have given you a few minutes of fun, but the breach of your data could have long-lasting consequences. As a business owner, your companyâs cybersecurity should be of the utmost importance. So how do you prevent hackers from gaining access through application security breaches? The answer is education â both for yourself and your staff. Cybercriminals are always looking for ways to take advantage of the system, so be sure you know where and how to stop them before they can get in. Why app security is crucial Businesses both large and small know that any sort of digital presence needs the proper cybersecurity. A leak of sensitive information or financial data is any companyâs worst nightmare, and it feels like more and more stories about credit card hacks are popping up in the media every year. You can guarantee that the affected businesses put at least some effort into protecting their online assets â but one area they might have missed was the security of the applications they use. âOrganizations spend somewhere between 45 and 50 billion dollars on security but [a] very small percentage is focused on applications,â says an article at Forbes. The article also notes that eighty four per cent of cyberattacks happen on the application layer â a number thatâs uncomfortably high, especially if youâre suddenly wondering just how good your application security is right now. The article goes to on quote Rik Turner, senior analyst on Ovumâs Infrastructure Solutions Team, as saying, âYou can go online, find a little piece of software thatâs been used many times before, make a couple of little tweaks in it so that it performs differently making it very difficult to detect when itâs doing its mischief, and away you go.â Are you creating your apps in-house? It could even be something as seemingly innocuous as a flawed app design. If your company chooses to create an app in-house, thereâs a greater chance that youâll be able to be hands on in the design and maintain quality control over the source code. However, if you leave app programming to an outside vendor, you might be opening a window to hackers â sometimes intentionally, sometimes not. âWith time-sensitive schedules, developers are also likely to assemble applications from hybrid code â obtained from a mix of in-house development, outsourced code, and third-party or open-source libraries,â explains an article at MIT, âDuring this mash-up process, critical vulnerabilities can be copied, overlooked, and implemented into production code.â So even if the app designers didnât mean to create vulnerabilities in the code, itâs all too easy to miss a step, especially when under pressure to deliver â and thatâs exactly what hackers are counting on. How to prevent app hacking As mentioned above, when youâre the business owner, ensuring that application design is thorough and complete is an absolute must. The moment that you push out an app with vulnerabilities is a moment that can wreck your companyâs reputation, and potentially lose consumersâ trust in your brand. If youâre looking to hire outside vendors to design an app for your business, be sure to thoroughly research past work, ask to see portfolios, and gather recommendations from colleagues. Itâs best to choose app designers you trust â and ones that will take the time to do a meticulous job rather than a piecemeal one â in order to get a quality product. Consistent application evaluation is also key to ensuring that all potential holes are patched up. A piece on web application security at eSecurity Planet points out that performing tests on applications to find security flaws was highly successful: âFeeding vulnerability results back to development teams through established bug tracking or mitigation channels was the activity that yielded the best result across the three key metrics⦠Organizations that did this reported 40 percent fewer vulnerabilities than the average, fixed them nearly a month faster and increased remediation rates by 15 percent.â The article continues to say that communication between teams is vital to preventing cybersecurity problems, particularly when it comes to development and security teams. As for those two teams, when youâre the business owner, itâs valuable to keep both your developers and security aware of the most up-to-date risks and flaws in applications. The eSecurity Planet piece uses the examples of content spoofing, fingerprinting, and cross-site scripting, noting that although instances of those risks were high ten years ago, now that teams are aware of the problems, theyâre showing up less and less. More awareness means less vulnerability, so make sure your team has access to the most current risks â and fixes â associated with application security. Itâs worth passing along OWASPâs Top 10 list of coding vulnerabilities that should be tended to, including security configuration, cross-site request forgery, and unvalidated redirects and forwards, among others. With so many areas of business at risk of cybercrime, it can be easy to overlook even the smallest of vulnerabilities. But all it takes is one faulty application to create the perfect back door entrance for hackers, and before you know it, your company and brand are tarnished by a security breach. Whether youâre pushing out an application that was created in-house or via outside vendors, make sure youâve got all your bases covered with a strong, secure build and a reliable team behind it. It could spare you a potential disaster down the line. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160303/547655f1/attachment.html>
Current thread:
- App security: The most overlooked cybersecurity measure Audrey McNeil (Mar 03)