avoid these application security risks
DESCRIPTION
The kind of risks that mismanaged security poses can no longer be fathomed merely by the numbers even while they most often fail to cover the real quantum of damages and their ripple effects. In a mad rush to keep up with time-to-market pressures, app developers may not think through data security and user privacy. This leaves enterprises with rudimentary, interim threat prevention tools. If perimeter security encouraged an era of insecure code at the application layer, runtime security is only repeating the offense at a much closer level. In the wake of this chaos, how must one prevent application security from disappearing into the proverbial Bermuda triangle of scope, schedule and budget? Let’s take a look at common application security risks and ways to mitigate them:TRANSCRIPT
-
Avoid these Application Security Risks
By Sukanya C (September 19, 2015)
The kind of risks that mismanaged security
poses can no longer be fathomed merely by
the numbers even while they most often fail
to cover the real quantum of damages and
their ripple effects. In a mad rush to keep up
with time-to-market pressures, app
developers may not think through data
security and user privacy. This leaves
enterprises with rudimentary, interim
threat prevention tools. If perimeter
security encouraged an era of insecure code
at the application layer, runtime security is
only repeating the offense at a much closer level. In the wake of this chaos, how must one
prevent application security from disappearing into the proverbial Bermuda triangle of
scope, schedule and budget? Lets take a look at common application security risks and
ways to mitigate them:
Risk: Inadequate security personnel support to handle runtime monitoring tools:
Runtime Application Self-Protection came into being when the idea of an impenetrable
network perimeter began to be viewed as improbable and unworkable. Security companies
resolved to move the layer of defense in from the perimeter to the host. But RASP
addresses only a small range of web application vulnerabilities, such as CSRF and SQLi which
are relatively minor weaknesses that developers can fix with minimal effort. The larger
problem with RASP and WAF is that they fall short of vulnerability correction capabilities. All
that they essentially do is set up a temporary barricade that becomes a dependency for the
vulnerability that was detected. If this dependency and the temporary fix are not well-
documented and evangelized among IT managers and executives, they could be neglected
with the passage of time, under the impression that the vulnerability has been neutralized.
What you can do: Enterprises need to build security into the core of the development
team, or rather make it the crux of DevOps strategies. Seek the assistance of security
posture analysts who can assist in drawing up all-inclusive plans and policies for patch
management, logging and lifecycle documentation. This will empower your business with
the awareness of what solution works best for your line of business, endpoints, platform,
scale and brand image sensibilities.
-
Risk: Shortsighted planning
Both RASP and WAF are simply adding a shield to the core of the application and arent
helping build secure applications. Sooner or later, companies will have to face the hard
decision looming before them: whether to purchase an extended cover of the
compensatory RASP control for the zero-day vulnerability or approach the developers for a
fix. Small and medium businesses often find it hard to make a decision on the trade-off
between mounting costs and impediments to business continuity.
What you can do: Seek to gain thorough foresight of the long-term benefits and limitations
of security implementation, products and tools. Risk mitigation planning is incomplete
without exhaustive threat awareness that also projects a weighed analysis of defense
tactics, apart from keeping a business aware of contextual vulnerabilities, evolving threat
actors and perilous practices.
Risk: Entrusting complete autonomy with runtime monitoring
Runtime security is designed to keep out real-time attacks and is known to be highly inclined
to throw up false positives. They could misinterpret unusual traffic for anomalous traffic and
end up stopping code from execution, thereby damaging data availability culminating in a
self-inflicted DoS attack of sorts. WAF is only as intelligent as its signature base and pattern-
matching resource. Which means WAF would know nothing about what an application does
with a particular user input. It only knows enough to block out inputs that seemmalicious.
As one would guess, hackers are manufacturing cleverer attacks that can deceive a WAF
filter by posing as a harmless request.
What you can do: The basic mindset to adopt is the synchronization of people and
technologies. Tools are prone to throw up false positives and cannot be left to decide how
to act. They require continuous monitoring by a security expert who can interpret the
nature of sophisticated attacks and differentiate them from say, routine performance
testing traffic loads.
Another important takeaway is that while RASP can give your applications self-protection
capabilities, it also means inviting a hacker deeper into the stack while there are other
means to lock them out even further outside network boundaries. Such a situation warrants
the guidance of a security consultant who can instill a culture of robust, mufti-faceted
security fundamentals that prevents the tilting of your budget towards a single, apparently
imprecise defense mechanism.
Beginning with assistance in developing secure code, a security posture assessment can
bring you the benefits of an adroit risk management planning backed by a custom-built
threat profile. While tools are programmed to look for and block out certain predefined
activity, manual penetration testing thinks out of the box, mimicking attackers who try
everything they can to dodge standard intrusion prevention signatures.