Aug 24, 2018
When it comes to application security, it’s very easy to lull yourself into a false sense of security and think you’ve got everything covered. But the security landscape changes at an incredible pace, with new threats and vulnerabilities emerging all the time. Today we're busting 5 common myths about application security, to help your organisation protect its sensitive data.
1) “We don’t have a software security problem”
There’s a serious disconnect between the perceived and actual state of a company’s application security, with 75% of decision-making executives believing their application security to be mature, compared with just 11% of developers. Many companies fall into the trap of thinking that just because they haven’t suffered a serious data breach, their application security must be fantastic. In reality it just means they haven’t suffered a data breach – yet. Or, even worse, they’ve already suffered a data breach but their IT systems haven’t detected it yet.
2) “Our network is very secure so our applications are protected”
Many organisations assume that the network layer of their infrastructure is the primary source of security vulnerabilities. In reality, however, it’s the application layer that poses the biggest threat. Gartner estimates that 70% of all vulnerabilities are caused by poor application security, with other researchers estimating the figure to be as high as 90%. So it’s great that your company is investing in securing your systems, but it’s imperative that you align security spending with where the actual risks are, not where you assume them to be.
3) “Software security isn’t my problem”
Application security is the responsibility of your developers or security team, right? Nothing to do with you. Unfortunately, 52% of all security breaches are caused by human error, and 91% of successful data breaches rely on the manipulation of an organisation’s employees and customers. So security should be a company-wide concern, not just something for your developers or your security team to “deal with”. It’s vital to lay a foundation of basic security awareness in your organisation and make sure that everyone understands the risks the company faces, and the role they play in minimising those risks.
4) “I’ve got XYZ tool so my applications are secure”
It’s tempting to look for a single tool that can sort out your company’s application security. But with the speed that the security landscape changes, and the constant development of technology and vulnerabilities, that’s just not possible. Tools like web application firewalls or dynamic analysis tools will help you defend against and identify some vulnerabilities affecting your applications, but not all of them.Your dev team need to understand best practices for secure coding, so that the applications you develop have as few vulnerabilities as possible. And your security team need to understand how to operate security tools so they identify vulnerabilities, and how to advise your dev team to mitigate the risk of the same vulnerabilities occurring in the future.
5) "Compliance will take care of application security"
It almost seems unfair that even once you’ve done everything you need to do to achieve regulatory compliance, there’s still work to be done to achieve application security. The problem with confusing compliance with application security is that regulatory standards only touch upon application security superficially. For example, the Payment Card Industry Data Security Standard (PCI DSS) has specific requirements for network security, but only superficially addresses application security, even though the application layer is where the majority of the vulnerabilities are. So regulatory compliance is a good first step for getting your company thinking about application security, but you will do better following industry-standard best practices for application security, rather than compliance regulations.