CircleID

In the aviation world safety is paramount. Commercial airlines go to major lengths to make sure that their planes are fully up to code and can fly safely in the air. The risks — loss of human lives — are far too extreme to take any chances. One result of this diligence is the fact that travel by plane is far safer than any other method — nearly 40 times safer per mile than travel by car.

While application security risks are not as dire, research shows CSOs fail to use the same stringent level of safety to secure their Internet-facing applications. In fact, most organizations may not be aware of 60% of their internet application vulnerabilities because they only rely on automatic external website scanning and/or automatic static source code or binary analysis tools. These methods only find approximately 40% of the types of security vulnerabilities that should be discovered in a security assessment.

Sixty percent is clearly a statistic that would cause many CSOs to lose sleep. As I have highlighted before, organizations with Internet facing applications need to apply the same level of security diligence as they would for perimeter defenses by taking a strategic look at their application security practices to cover this massive gap.

The only way to determine the total risk due to application vulnerabilities is to assess Internet and intranet applications using a blend of manual and automated analyses. Manual static analysis involves a review of the application architecture and source code by highly skilled software security engineers. The resulting analysis is comprehensive and, overall, the most reliable of the approaches.

Thankfully, some companies in the financial services sector have taken an airline-like safety approach by using this comprehensive method of analysis. I encourage everyone to take a hard look at their online application vulnerability assessment methods. And, as a frequent flier, I would choose to fly on an airline that has a complete pre-flight checkout of every plane, not one that's only going to find 40% of the possible dangers.

By Greg Reber, CEO of AsTech Consulting

Related topics: Security