CircleID

There is a classic scene in the movie, "Jaws," when Roy Scheider gets a look at the size of the shark circling his fishing vessel and says, "We're going to need a bigger boat." The same case can be made for CIOs dealing today with application security.

Hackers from all over the world are circling business and government like great whites looking for vulnerabilities in Internet-facing applications. The growth of applications is great for doing business but they have become chum in the water for predators.

Unfortunately the scope of problem threatens to capsize the ability of many CIOs and CSOs to mitigate these vulnerabilities. While many turn to automatic external scanning and automatic static source code or binary analysis tools, these tools are currently limited because they can only find approximately 40% of the types of security vulnerabilities that should be evaluated in a security assessment.

This means that there is a 60% gap in organizations' application security. Sixty percent is a significant statistic. Organizations with Internet facing applications need to apply the same level of security diligence as they would for perimeter defenses by taking a strategic look at their application security practices to cover this massive gap. Quick fixes may be fine for some areas of the enterprise, but not when you're putting consumers and employees — and ultimately your brand — at risk.

The best way to determine the total risk due to application vulnerabilities is to assess them using a blend of manual and automated analyses. Manual static analysis involves a review of the application architecture and source code by highly skilled software security engineers. The resulting analysis is comprehensive and is, overall, the most reliable of the approaches. Thus it has been the method of choice where application security is of paramount concern, such as the financial services sector.

The sharks will always be out there. They are hungry and smart (unfortunately). You need to see everything that they can to protect yourself, using all available means — the right sized boat for the threat.

By Greg Reber, CEO of AsTech Consulting

Related topics: Cyberattack, Cybercrime, Security