The Changing Face Of Application Security
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View The Changing Face Of Application Security as PDF for free.
More details
- Words: 1,185
- Pages: 3
Comment Article IT Analysis – The changing face of application security By Fran Howarth, Principal Analyst, Quocirca Ltd
Software applications are the backbone of businesses today. A recent survey conducted by Quocirca, commissioned by Fortify Software, of 250 organisations in the US, the UK and Germany, found that developing or modifying software applications is business critical or very important to two-thirds of organisations. Not only that, but reliance on software development is increasing and bespoke application development is seen as a competitive differentiator for end-user organisations. Not only are bespoke or modified software applications becoming more important, but they are increasingly being web-enabled over networks that are being opened up to access by employees, business partners, suppliers and customers. This increases productivity by allowing for greater collaboration and by speeding up the rate at which transactions can be performed. But it is a double-edged sword. Many large enterprises have thousands of web-enabled applications running over their networks and their developers are under pressure to release new applications at an ever faster rate. The internet is also no longer the static marketing tool for organisations that characterised it during the 1990s. Dynamically changing content is the order of the day—and that means that applications are frequently updated, with extra functionality being added at a fast and furious pace. Each of these applications may contain thousands, or even millions of lines of code, making it likely that at least some bugs have been incorporated along the way. Accepted levels are that there will be 0.5 significant errors per thousand lines of code, so a fairly small, 10,000 line application will have five significant errors within it—somewhere. Each of those errors could make the application vulnerable to attack and that is playing into the hands of hackers. Gone are the days of script kiddies; now a new breed of hacker has emerged that
© 2008 Quocirca Ltd
hunt for insecurely written code and vulnerabilities in software applications that will allow them to steal information contained in those applications. And, to an increasing extent, those attacks are specifically targeted—at an individual organisation or a certain individual. The stakes are set to rise even higher as organisations turn to practices that could actually increase their risk of exposure even further for three reasons. First, the survey showed that organisations are fast adopting service oriented architectures (SOA), with 66% of respondents having already adopted, or are in the process of adopting, a SOA. Among German respondents, that percentage rises to 84%, 71% of which are exposing legacy applications—potentially leaving them more vulnerable to attack as some of these applications would originally have been intended for internal use only and therefore developed without concern for today's security threats. Second, organisations are also increasingly using next-generation Web 2.0 programming techniques and tools. The survey shows that 45% of respondents make use of JavaScript/AJAX programming tools in order to write applications that provide users with a much higher degree of interaction than traditional applications, and that enable dynamic, on-the-fly content to be produced. However, these new programming techniques actually increase the chance of applications containing vulnerabilities. For example, many Web 2.0 programming techniques make use of JavaScript as the data transport mechanism, which exposes more of the business logic of the applications such as access controls at the browser level, instead of at the server level, meaning that it is more exposed to users, and therefore to hackers. The problems involved are not yet widely understood, but a significant number of organisations report that they are encountering vulnerabilities that are specific to the new programming tools.
http://www.quocirca.com
+44 118 948 3360
Comment Article The third potentially insecure practice to which organisations are exposing themselves is that of trusting the development of their software applications to third parties. This requires that watertight service-level agreements be put in place to demand the highest standards of security be used in the development and testing of the software, and that the third parties can be held accountable for vulnerabilities that slip through the net. However, the survey does show that those organisations for which the importance of bespoke software development is increasing are least likely to outsource this activity, meaning that organisations do at least understand that outsourcing code development could be a less secure practice than keeping this in-house. As well as these findings, the survey brings to light the fact that many organisations are not doing enough to actively build security into their applications at the design and development stages, nor are they making sufficient use of automated tools to test the security of the applications that they develop. It is well known that fixing security flaws is more expensive that ensuring that they do not exist in the first place. It is imperative that security be considered at all stages of the software development lifecycle to ensure that organisations allow as few vectors of attack against their networks to be left open as possible. In today's world, the penalties for sloppy security practices that lead to data leaking out of an organisation are high-and no one wants to be the subject of the next negative headline.
© 2008 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Comment Article
About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com
© 2008 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Software applications are the backbone of businesses today. A recent survey conducted by Quocirca, commissioned by Fortify Software, of 250 organisations in the US, the UK and Germany, found that developing or modifying software applications is business critical or very important to two-thirds of organisations. Not only that, but reliance on software development is increasing and bespoke application development is seen as a competitive differentiator for end-user organisations. Not only are bespoke or modified software applications becoming more important, but they are increasingly being web-enabled over networks that are being opened up to access by employees, business partners, suppliers and customers. This increases productivity by allowing for greater collaboration and by speeding up the rate at which transactions can be performed. But it is a double-edged sword. Many large enterprises have thousands of web-enabled applications running over their networks and their developers are under pressure to release new applications at an ever faster rate. The internet is also no longer the static marketing tool for organisations that characterised it during the 1990s. Dynamically changing content is the order of the day—and that means that applications are frequently updated, with extra functionality being added at a fast and furious pace. Each of these applications may contain thousands, or even millions of lines of code, making it likely that at least some bugs have been incorporated along the way. Accepted levels are that there will be 0.5 significant errors per thousand lines of code, so a fairly small, 10,000 line application will have five significant errors within it—somewhere. Each of those errors could make the application vulnerable to attack and that is playing into the hands of hackers. Gone are the days of script kiddies; now a new breed of hacker has emerged that
© 2008 Quocirca Ltd
hunt for insecurely written code and vulnerabilities in software applications that will allow them to steal information contained in those applications. And, to an increasing extent, those attacks are specifically targeted—at an individual organisation or a certain individual. The stakes are set to rise even higher as organisations turn to practices that could actually increase their risk of exposure even further for three reasons. First, the survey showed that organisations are fast adopting service oriented architectures (SOA), with 66% of respondents having already adopted, or are in the process of adopting, a SOA. Among German respondents, that percentage rises to 84%, 71% of which are exposing legacy applications—potentially leaving them more vulnerable to attack as some of these applications would originally have been intended for internal use only and therefore developed without concern for today's security threats. Second, organisations are also increasingly using next-generation Web 2.0 programming techniques and tools. The survey shows that 45% of respondents make use of JavaScript/AJAX programming tools in order to write applications that provide users with a much higher degree of interaction than traditional applications, and that enable dynamic, on-the-fly content to be produced. However, these new programming techniques actually increase the chance of applications containing vulnerabilities. For example, many Web 2.0 programming techniques make use of JavaScript as the data transport mechanism, which exposes more of the business logic of the applications such as access controls at the browser level, instead of at the server level, meaning that it is more exposed to users, and therefore to hackers. The problems involved are not yet widely understood, but a significant number of organisations report that they are encountering vulnerabilities that are specific to the new programming tools.
http://www.quocirca.com
+44 118 948 3360
Comment Article The third potentially insecure practice to which organisations are exposing themselves is that of trusting the development of their software applications to third parties. This requires that watertight service-level agreements be put in place to demand the highest standards of security be used in the development and testing of the software, and that the third parties can be held accountable for vulnerabilities that slip through the net. However, the survey does show that those organisations for which the importance of bespoke software development is increasing are least likely to outsource this activity, meaning that organisations do at least understand that outsourcing code development could be a less secure practice than keeping this in-house. As well as these findings, the survey brings to light the fact that many organisations are not doing enough to actively build security into their applications at the design and development stages, nor are they making sufficient use of automated tools to test the security of the applications that they develop. It is well known that fixing security flaws is more expensive that ensuring that they do not exist in the first place. It is imperative that security be considered at all stages of the software development lifecycle to ensure that organisations allow as few vectors of attack against their networks to be left open as possible. In today's world, the penalties for sloppy security practices that lead to data leaking out of an organisation are high-and no one wants to be the subject of the next negative headline.
© 2008 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Comment Article
About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com
© 2008 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Related Documents
The Changing Face Of Application Security
May 2020 6
The Changing Face Of Listening
June 2020 15
Changing The Face Of Breast Cancer
December 2019 17
The Changing Face Of Indian Judiciary .
May 2020 6
