Nov 14, 2018
How much does your organisation know about the security of the applications it runs and develops? According to a recent study by the Ponemon Institute, 35% of organisations don’t use any major application security testing methods for application vulnerabilities – and two thirds of respondents said they don’t have any visibility into the overall state of application security in their organisation. Today I’m looking at 4 causes of application security visibility problems that your organisation needs to address, in order to protect against vulnerabilities that could put your data at risk.
1) Shadow IT
Shadow IT refers to unauthorised systems and applications that exist within an organisation’s wider network. 69% of respondents in the Ponemon Institute’s study stated that their organisation doesn’t know all applications or databases that are currently active on their network. Shadow IT most commonly manifests when employees install their preferred applications onto a corporate network and use them without making the organisation’s IT or security department aware. But if the IT department aren’t aware of applications that are being used, employees are unknowingly creating security blind spots – parts of the network operating outside of the IT team’s knowledge – which pose a risk to the security of the whole network.
56% of respondents believed their organisations to be under pressure to release new apps quickly, and 35% of organisations don’t perform any major application security testing prior to deployment. This highlights how rush-to-release pressures are severely compromising the application security and security visibility within organisations. By deploying applications without testing, you’re dealing with the unknown: how many potential vulnerabilities have you introduced to your organisation’s network with that one application?
3) Not Testing Throughout the Software Development Lifecycle
Security best practices can be the first thing to slip when your developer team is up against tight deadlines, but this can lead to application security visibility problems if vulnerabilities are introduced into an application which is later deployed without testing. Only 14% of respondents test the applications they’re developing in all stages of the software development lifecycle. Regular, ongoing testing is essential for improving visibility into application security, as it makes your developers and security teams aware of vulnerabilities early in the development process, so they can be remediated before they become ingrained in the application.
4) Poor Risk Management Process
A structured risk management process is necessary to join up security activity across the whole organisation. But a massive 28% of respondents to the Ponemon Institute’s study revealed that their organisation has no process in place for managing application security risks, and a further 9% had only an ad hoc process in place. Your organisation’s risk management process will cover everything from securing the software development lifecycle, to application security testing, to responding to and remediating vulnerabilities. Without a structured risk management process in place, it’s unlikely that applications will be tested for vulnerabilities, or if they are, it’s unlikely that security teams will be able to remediate those vulnerabilities in a timely manner.