The proliferation of applications used in business today is integral to the way we generate and access information, whether via the cloud, mobile or laptop devices. A recent industry report revealed that network security continues to be better funded than application security, which has a dramatic impact on business performance.
Meanwhile, accountability for the security of applications appears to be in a state of flux. In a survey by F5 Networks and The Ponemeon Institute, 56 percent of respondents believe accountability for application security is shifting from IT to the end user or application owner. With this in mind, who actually owns application security?
The onslaught of technology
The roles and responsibilities for application security are often dispersed throughout organisations. While 21 percent of respondents said the CIO or CTO is accountable, another 20 percent said no one person or department has full ownership. The report also added that 20 percent of respondents say business units are accountable and 19 percent stated that the head of application development is accountable.
This may appear to be like a game of pass the parcel. However, many companies are still coming to terms with the onslaught of new technologies, such as the Internet of Things infiltrating all aspects of our professional and personal lives. As a result, IT departments are often unprepared and under-resourced to implement sufficient defence strategies for these emerging areas of technology.
The report highlighted other key findings. Fifty percent of respondents said the application is attacked more and 58 percent claimed such attacks are more severe than at the network layer. Interestingly, in the past 12 months, the most common security incidents due to insecure applications were: SQL injections (29 percent), DDoS (25 percent) and Web fraud (21 percent).
Visibility into vulnerabilities
With the propagation of applications in the workplace, the IT function often does not have visibility into all the applications deployed across their organisations. This lack of ownership can cause delays in the response to cybercrime. The cost to businesses can quickly amount to severe delays in service levels or leave their organisations vulnerable to further cyber-attacks. Only 35 percent of respondents in the report said their organisations have ample resources to detect vulnerabilities in applications and 30 percent said they have enough resources to remediate vulnerabilities. As a general point, funding is also a major issue where businesses typically tend to invest in traditional areas of IT, including hardware, infrastructure and devices.
Determining a sustainable ownership strategy for application security will help firms to deploy applications security across their employee network for 24-hour access, on any device and from any location. Working with specialist vendors has proven invaluable to preventing unnecessary downtime and can dramatically reduce losses that affect the bottom line.
Better collaboration
Today’s application developers alone are often not equipped to meet zero-day attacks. In addition, pressure to design and issue products to market quickly and meet customer demand is on the increase year-on-year. In short, developers are under-resourced and can be found at times to compromise on standards.
Ultimately, application security is a collective responsibility. Stakeholders in the equation of a successful application deployment strategy should include the IT department, developers, DevOps and also company CIO or CTO executives who need to attribute more resources to this important area of business. As companies seek to be more agile, adopting best practice and integrating expertise from across the business will avoid surprises when the hot application security potato lands in your lap. In turn, working together enables key areas of the business to utilise vital data more securely and galvanise the organisation to tackle malicious cybercrime.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.