Home / Blogs

A Bigger Boat: Application Security Outgrows Capacity for CIOs

By Greg Reber CEO of AsTech Consulting

There is a classic scene in the movie, “Jaws,” when Roy Scheider gets a look at the size of the shark circling his fishing vessel and says, “We’re going to need a bigger boat.” The same case can be made for CIOs dealing today with application security.

Hackers from all over the world are circling business and government like great whites looking for vulnerabilities in Internet-facing applications. The growth of applications is great for doing business but they have become chum in the water for predators.

Unfortunately the scope of problem threatens to capsize the ability of many CIOs and CSOs to mitigate these vulnerabilities. While many turn to automatic external scanning and automatic static source code or binary analysis tools, these tools are currently limited because they can only find approximately 40% of the types of security vulnerabilities that should be evaluated in a security assessment.

This means that there is a 60% gap in organizations’ application security. Sixty percent is a significant statistic. Organizations with Internet facing applications need to apply the same level of security diligence as they would for perimeter defenses by taking a strategic look at their application security practices to cover this massive gap. Quick fixes may be fine for some areas of the enterprise, but not when you’re putting consumers and employees—and ultimately your brand—at risk.

The best way to determine the total risk due to application vulnerabilities is to assess them using a blend of manual and automated analyses. Manual static analysis involves a review of the application architecture and source code by highly skilled software security engineers. The resulting analysis is comprehensive and is, overall, the most reliable of the approaches. Thus it has been the method of choice where application security is of paramount concern, such as the financial services sector.

The sharks will always be out there. They are hungry and smart (unfortunately). You need to see everything that they can to protect yourself, using all available means—the right sized boat for the threat.

By Greg Reber, CEO of AsTech Consulting

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

View All Topics