On the World Economic Forum held in Davos in January 2018, it was reported that in 2017 the world economy lost about $450 billion due to cybercrime — and this is just an approximate amount.
SANS Institute released the white paper according to which 43% of organizations update or publish new applications every day. The same report says that almost 60% of the breaches were made through vulnerable web or mobile public-facing applications. It means that applications are the main vector of cyberattacks.
On the other hand, a lot of application security tools, SaaS and services were launched for the last several years, with new DevSecOps and CI/CD terms introduced. For the majority of companies’ information security officers now it’s hard to go through these AST jungles and to find the appropriate solution and save corporate finances.
Below you will find useful ideas on how to improve application security return on investments:
Idea 1: Application discovery
Hackers watch your applications. Do you watch them? Do you know all you abandoned, outdated, vulnerable applications installed on your server or mobile? In most cases IT department will not guarantee that they know any apps installed in your external infrastructure. And most surprising is the fact that you can hardly find such services in the net. Not long ago we launched such service which allows to discover your apps automatically and free of charge.
2: Additional security measures
This step actually descends from the first one above. A lot of server or mobile applications can be accessed from outside. And many people just can’t imagine how easily it can be done and thus compromised. By all means, a Two Factor (2FA) Authentication recommended together with limitation to a given range of IPs and GeoIPs. This simple methods can dramatically reduce risk of breach.
3: Business Impact Analysis
Upon isolating external risks make an assessment of your internal applications with Business Impact Analysis (BIA). Find out which of your applications store or process personal data. Make sure your system meets upcoming GDPR requirements and other regulations (for example, PCI DSS). Failure to do this may cost you millions of dollars. Assign responsible persons for each application.
4: Continuous Monitoring
Any application security strategy must include continuous security monitoring of your critical applications. Other application must be checked regularly in order to identify vulnerabilities which may cause a breach but don’t directly associate with common flaws. It may be weak passwords, FTP server, SSL vulns etc. If your application has open-source or third-party components recommended usage of SCA (Software Composition Analysis). In addition, make constant monitoring of phishing, typosquatting or cybersquatted domains with the help of online tools.
5. Application security guidelines
Usually security flaws are identified relatively fast. But due to comprehension of some apps lack of time or resources it can take weeks or even months patch them. This factor can put company’s systems into critical risk of data breach. So a clear plan should be implemented on how to treat security problems for your information security team. There are two ways to solve security problems with your applications: 1) deploy new code or 2) make virtual patch using web application firewall.
These abovementioned easy steps can increase your application security testing ROI by several times and help you to protect your system more efficiently, not increasing expenses on cybersecurity.
5. Application security guidelines
Usually security flaws are identified relatively fast. But due to comprehension of some apps lack of time or resources it can take weeks or even months patch them. This factor can put company’s systems into critical risk of data breach. So a clear plan should be implemented on how to treat security problems for your information security team. There are two ways to solve security problems with your applications: 1) deploy new code or 2) make virtual patch using web application firewall.
These abovementioned easy steps can increase your application security testing ROI by several times and help you to protect your system more efficiently, not increasing expenses on cybersecurity.
