Home / Blogs

Finding the Holes in Your Application Security Blanket

By Greg Reber CEO of AsTech Consulting

Last month, application security provider Veracode came out with a study that stated that more than half of all enterprise applications aren’t secure. The company tested approximately 2,900 applications over an 18-month period, and 57 percent failed to meet Veracode’s “acceptable levels” of security.

While this study gained a tremendous amount of traction in the media, which helped raise the awareness of just how vulnerable enterprise applications are, it does not focus on the bigger issue of how to fully secure these applications. That 57 percent sounds like a lot, but the number is higher if you take into account the vulnerabilities that automated scanning can’t find.

Automated scanning tools like Veracode are very good at finding some common vulnerabilities, but they cannot find some pretty significant issues. Policy based security measures like weak password strength requirements will not be found by an “automagic” scan of source code. The only way to determine the total risk due to application vulnerabilities is to use a combination of manual and automated analyses. This is still the only path to discovering and understanding all the risks present in Internet applications, although using these automated tools alone is much better than doing nothing at all. But that would only tell you less than half the story.

On a separate note, while Veracode certainly embarked on an effective PR strategy by pointing out that enterprise applications are weak, surely the hope was that CSOs would see their press release and say, “Oh boy, I need help with application security. I better call Veracode right now.”

Again, beyond poking a bit of fun at Veracode’s expense, it was actually a smart move and we applaud anything that will shine a light at just how seriously CSOs and CIOs need to take application security. In fact, I believe that organizations with Internet facing applications need to apply the same level of security diligence as they would for perimeter defences by taking a strategic look at their application security practices. Automated scanning should be one of the tools in the toolbox, as well as manual code review for those applications that warrant that level of scrutiny—it’s the only way to find all vulnerabilities present. Period.

That is the message that those responsible for their company’s security need to understand.

By Greg Reber, CEO of AsTech Consulting

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

View All Topics