Applications today are critical touchpoints to an organization’s products and services, but they are also the weakest link when it comes to cyberattacks.
From 2017, technology analysts have been putting applications at the top of the target list of hackers who are trying to infiltrate corporate networks. According to the Forrester Data Global Business Technographics Security Survey 2017, 41% of external attacks were carried out by exploiting software vulnerabilities and 38% were done through SQL injection, cross-site scripting and remote file inclusions of web applications.
Hong Kong lags in strengthening application security
In Hong Kong roughly during the same time period, the city saw malicious attackers zeroing in on applications as easy gateways to steal their users’ data. In late 2016, a stock trading security incident involving a mobile app caused an investor HK$2 million loss in unauthorized transactions.
The case led the Hong Kong’s Mobile Security Research Lab to a study involving 140 selected Android stock trading mobile apps and found most of the stock trading apps in the city were rife with security risks. Of the 25 evaluation criteria used in the study, 86% of the apps did not pass the top five most-critical security tests. Likewise, 86% of the tested apps did not have root detection, and most of them did not implement two-factor authentication to increase the difficulty of password hacking.
Tom Chan, managing director at HKT Commercial Group, observes that many companies in Hong Kong still rely on basic technology such as firewalls and antivirus software. “There is no one solution that can solve all their cybersecurity problems,” Chan says. “However, they may want to include threat intelligence and detection technology in their information security infrastructure.”
He points out that many companies do not have total visibility across all their applications—and this contributes to the lack of application security protection in their organization.
“They have gaps in their application security posture,” Chan says. “They have low readiness in security risk assessment; they lack technology and process controls; and, not only is cybersecurity talent is thin on the ground, the ones we have are short on cybersecurity training around using threat detection technologies like threat hunting, forensics and cyber threat intelligence.”
Chan underscores the need for regular training to keep your cybersecurity professionals up to date.
“Human capital is an essential element for securing your applications, so train your in-house warriors to protect you,” he says, adding that to supplement their cybersecurity capabilities, companies are well advised to work with a reliable technology partner who can offer well- rounded security solutions.
Downside of agile software development
New apps are churned out in greater frequency and greater numbers as they become a critical element of companies’ engagement with customers.
“Companies tend to trade off security to meet time to market,” says Chan.
In “The State of Application Security 2018” report issued in January, analysts at Forrester made the same observation.
“Security pros struggle to adapt to speedy releases,” the report said. “Open source vulnerabilities continue to plague enterprises as developers rely more on these building blocks to help speed development and delivery.”
“Web applications continue to show vulnerability to attacks such as SQL injection and cross-site scripting, with little relief in sight,” the Forrester study said. “The challenge is that development teams are buried under mountains of requirements to make apps more user friendly and engaging within a shrinking period of time, which leaves essentially no room to strengthen and assure application security.”
Unfortunately, company size does not protect an organization from web application attacks.
The analyst firm reported that 42% of large enterprises and 40% of small- and medium-size enterprises suffered external attacks from software vulnerability exploits in 2017. For web application attacks, the numbers were 42% for small and 30% for medium-size companies.
The challenges of application security vary greatly by industry, according to Forrester.
“Retail and wholesale companies are bracing for malicious bots,” the report said. “Bot management is not just for preventing large-scale DDoS campaigns like what we saw with the Mirai attack. Bots can also perform business-disrupting actions such as inventory hoarding and web content scraping."
Meanwhile, utilities and telecoms are trying to shore up open source security and prevention technologies; and financial services firms are facing regulatory pressure and falling back on penetration services for compliance, the report said.
Application spending will rise
CISOs have come to realize that there are just not enough bodies to throw at security to make the improvements they need, even as they push for earlier testing and better protection of applications during development.
Gartner in a forecast analysis of the worldwide information security market, said that by 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing for custom code, an increase from fewer than 10% in 2018.
“Transitions to digital business models, enabled by applications, have prompted line-of-business owners to increasingly question the risk profile of these apps and the potential impact to the organization,” said the Gartner analysis, which was released in September.
In its own latest forecast issued in October, Forrester predicted that the application security market will exceed US$7.1 billion by 2023, a 16.4% compound growth rate from 2017. Global spending on application security is expected to more than double in the next five years.
“Faster development cycles make previous pre-release security measures obsolete,” said Forrester analyst Amy DeMartine. “Security pros performing manual scanning or, worse yet, security checkpoint meetings, slow down development cycles.”
She said 27% of global developers release new code monthly or faster, while 35% of them build multiple times per day or during check-in.
"This means that any kind of manual intervention to determine security quality will be frustrating for developers and will either cause them to skirt or refuse security scanning altogether,” DeMartine said.
With malicious hackers creating and buying bots so they can quickly test and modify attacks, those tasked in protecting enterprise applications simply cannot keep up with their response.
“This overwhelming malicious automation leaves security pros no choice but to automate their prevention capabilities using runtime protection technologies.” eMartine said.
Automation offers hope
In its forecast, Forrester predicted that the explosive growth of the application security market will be spurred primarily by increased spending on automated security scanning tools.
“Companies will prioritize their efforts to reduce the number of security weaknesses and vulnerabilities in their application over relying on runtime protection tools to prevent external application attacks,” said DeMartine.
In 2017, Forrester reported that security scanning tools accounted for 60% of the overall application security market.
“Recent advancements are helping firms integrate scanning tools into the software delivery lifecycle to the software delivery lifecycle to take advantage of
continuous integration and continuous deployment (CI/CD) automation, which gives developers early, actionable data with every application release,” said DeMartine.
Forrester listed the security scanning tools to include dynamic application security testing (DAST), interactive application security testing (IAST), software composition analysis (SCA) and static application security testing (SAST) tools.
“The automation of security scanning and runtime protection will fundamentally reshape the application security role,” DeMartine said. “Over the next five years, scanning technologies will become more integrated into the CI/CD pipeline and will create remediation advice that developers trust, eventually even implementing fixes automatically.”
She also noted that runtime protection tools will take the same leaps from manual rule modification, to rule change suggestions, and finally to automatic rule implementations.
“This change will allow application security pros to morph from a task-driven role to a predominantly governance role to monitor for applications outliers that are not following predefined security scanning and runtime protection.” DeMartine said.
“This will also allow the application security resources to instead become security designers that help develop customer experiences that are enhanced by security,” she added.