The Rise of Web Application Vulnerabilities and Sprawl
April 30, 2015
Take a bit of confusion, add a dash of skepticism, and boil it in a dingy solution of information overload to get exactly what some of the chief information security executives feel about web application security today.
Although it’s not that they don’t understand what needs to be done to secure business and customer interests, there are just too many vectors and too much information to process within the security sphere, and the addition of AppSec just makes it all much more complex.
In the international circuit, such concern about multiple security technologies and vectors is being actively called ‘sprawl’. In fact, a study on the same issue by the Global Information Security Workforce Study (GISWS) was recently funded by (ISC)², which shared response results on questions asked to around 14, 000 information security professionals across the world.
According to the published results, nearly 66% of the professionals were concerned about the addition of multiple security technologies, which isn’t that surprising given that even websites of the companies with deep pockets are getting hacked. In fact, these breaches only underscore the fact that money is often not the salvation of security. GISWS also shared some other valuable insights, but before moving onto those, let us take a closer look at sprawl and its intensity in the global circuit.
Uncertainties around Web Application Security
Imagine a job which requires utmost research capabilities and responsibility to guard one of the most crucial assets of the 21st century- Information. The daily tasks involve studying every bit of available information to gauge security efficiency at different layers of communication. And if there’s data leak, a new threat, or slightest of data breach concerns, it is imperative to have all the answers.
Sounds exhaustive? That’s exactly what security professionals across different industries all over the world have to go through. They have this huge responsibility of developing infrastructure, hiring the right talent, and keep everything working in the right order.
As a matter of fact, until a few years ago, it was not that difficult as the risks were limited to the network layer and physical access to data. Both of which can be secured with tested in-house measures. However, in the last five years, the whole game has shifted to a different level with application layer breaches. While earlier nobody really believed in the seriousness of Layer 7 vulnerabilities, the wounds of Heartbleed & POODLE have smashed away all the perceptions we had on security.
Things went even worse when security professionals realized the acute shortage of people who understand info security, especially web application security. Recently, several news pieces have even covered this labor shortage in application security and big data industries. Why is that? Firstly, there are no specific courses in most countries that equip graduates or even postgraduates to face real-life application threats. It might take several years before courses like that are customized as per the global needs. Secondly, AppSec is an extensively volatile domain. It requires specific focus and ongoing training to deal with the threats, a lot of which is not possible for security professionals who oversee different security differentials. Additionally, unlike with network and physical layers, business applications are open to frequent and multiple changes framed within tight deadlines, making security even more difficult.
Focused Approach to Web Application Security
Web application security is a different front and requires a specific set of skills and responsibilities for the following reasons:
- Attackers can exploit the website from almost anywhere in the world even though the user interface
- There is no certain way to stop zero-day threats
- 75% of the attacks happen at the application layer
- Web applications are coded in a plethora of languages
- Business web applications are rarely tested and frequently changed
- Applications are critical to data communication and online transactions
Coming back to where we’ve started the topic, this diversion to application security from regular information security processes is posing a huge concern for CIOs and CISOs. Firstly, they have to convince management into investing heavily in a new kind of protection technology and resources, and yet it does not guarantee results. Secondly, it takes both security professionals and the company into micromanaging things that cause opportunity loss (a value that could have been achieved if time and money was invested in real business operations).
Conveniently, it seems that the Global Information Security Workforce Study (GISWS), which has underscored the global concerns on security, also sheds light on how security professionals are dealing with it. In the study, while 57% of respondents believed that additional education and training in cloud computing would help, 49% thought that lack of in-house resource opens gates for security outsourcing. The SaaS web application security solutions seem to be the logical answer to growing concerns worldwide for the following reasons:
- Ongoing research development and training
- Zero initial infrastructure or machine costs
- Subscription model
- Zero-day threat support
- Dashboard control and detailed reports
Yet, the most critical differentiator in favor of SaaS Web Application Security solutions is the ability to find out application vulnerabilities and patch them without making any changes to the code, that too consistently in real-time at just a fraction of cost.
