|
Last month, application security provider Veracode came out with a study that stated that more than half of all enterprise applications aren’t secure. The company tested approximately 2,900 applications over an 18-month period, and 57 percent failed to meet Veracode’s “acceptable levels” of security.
While this study gained a tremendous amount of traction in the media, which helped raise the awareness of just how vulnerable enterprise applications are, it does not focus on the bigger issue of how to fully secure these applications. That 57 percent sounds like a lot, but the number is higher if you take into account the vulnerabilities that automated scanning can’t find.
Automated scanning tools like Veracode are very good at finding some common vulnerabilities, but they cannot find some pretty significant issues. Policy based security measures like weak password strength requirements will not be found by an “automagic” scan of source code. The only way to determine the total risk due to application vulnerabilities is to use a combination of manual and automated analyses. This is still the only path to discovering and understanding all the risks present in Internet applications, although using these automated tools alone is much better than doing nothing at all. But that would only tell you less than half the story.
On a separate note, while Veracode certainly embarked on an effective PR strategy by pointing out that enterprise applications are weak, surely the hope was that CSOs would see their press release and say, “Oh boy, I need help with application security. I better call Veracode right now.”
Again, beyond poking a bit of fun at Veracode’s expense, it was actually a smart move and we applaud anything that will shine a light at just how seriously CSOs and CIOs need to take application security. In fact, I believe that organizations with Internet facing applications need to apply the same level of security diligence as they would for perimeter defences by taking a strategic look at their application security practices. Automated scanning should be one of the tools in the toolbox, as well as manual code review for those applications that warrant that level of scrutiny—it’s the only way to find all vulnerabilities present. Period.
That is the message that those responsible for their company’s security need to understand.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byIPv4.Global