Governance Model
Application security testing conducted in the absence of an overarching program and policy governing application risk management within the organization is simply ad-hoc testing. Without establishing policies that take into account elements such as business criticality, regulatory impact, brand risk etc. there is no comprehensive understanding of the risk exposure posed by the application portfolio. With Ad-hoc testing, there is no way to accurately measure whether the money being spent on application security is cost effective and what the outcome of the dollars being invested really is. With our Governance Model we will identify your application inventories, set policy and initiate workflows to bring the rest of the organizations testing efforts in alignment with the business value posed by those applications.
Setting the Application Security Policy
An application security policy is a critical component of an organization’s overall information management architecture, and ultimately plays an integral role in business continuity strategies. It is critical to have a top-down approach based on a well-stated framework in order to develop effective, enforceable policies. Unfortunately, that is not where most organizations are today – instead most are still communicating in silos and using ad hoc testing for application security control. This approach results in an inconsistent application security program, leaving companies at risk for failed audits and halted business operations due to a breach.
With 75% of new attacks
CERT and 80% of
SANs Top 25 attacks targeting applications, it is not surprising that application security has risen to the top of the executive agenda. As an executive, you are concerned about technology risk management and you recognize that application risk management has to form a key part of your efforts.
The Case for Application Intelligence
Software applications are the enterprise’s new security perimeter. Today’s applications control access to financial data, public service infrastructure, patient health records, personal information on mobile devices and more. Their weaknesses have become the target of most new attacks. Exploited vulnerabilities such as backdoors, malicious code, and Zero-day flaws have had expensive and embarrassing consequences.
We conceptually know that applications are vulnerable. However, real information and meaningful metrics are needed about why software remains so insecure and what can be done to improve the status quo. If a CISO knew that between 30 and 70 percent of all code in what they thought of as internally developed applications was identifiably from third-parties, how would that inform their approach to vendor and third-party risk management? If a VP of Engineering was equipped with hard facts to dispel the fear surrounding use of open source software, how would that impact the software architecture and cost of building new products? If there was a way to compare the state of an enterprises’ software security vs. peers in the industry, how would that help build the case for appropriate funds allocation for an enterprise’s application risk management program?
The Professional Perspective
One of the primary ways that application security risk enters today’s enterprise is through the software acquisition process. Whether it is procurement, a merger, or corporate acquisition, an increasing percentage of modern enterprise software infrastructures was created by unknown third parties.
Given the dramatically heightened regulatory and compliance environment, one of the unique challenges now facing today’s professionals is preventing software security risks from entering the acquiring organization through the acquisition process. The risk is real as most software development processes in smaller target firms are less mature than larger and more established organizations, often focus on rapid feature development rather than secure design and implementation, and typically are unable to afford expensive security testing tools to do even basic security checking. These unknowns around software security are compounded by the acquisition process itself which can present challenges due to the sensitivities surrounding accessing source code of target software products, the confidential nature of the transaction and security vulnerability information (particularly for public companies), and the legal risk associated with failed transactions.
Read more ...
