These six myths put application security at risk

The threat situation for IT is becoming increasingly severe and has also become more complex. If an attack occurs, companies can usually prevent greater damage with existing protective measures. However, the following six myths will explain how they can significantly increase the security of their applications.

Myth 1: Cybercriminals attack the infrastructure, applications are hardly in focus

This myth is unfortunately a widespread misconception. Investigations have shown that more than half of all attacks occur via the application layer. However, the seventh OSI layer, the application layer, is not protected at all by classic firewalls. It is recommended that critical business applications be protected by an application firewall that controls input, output and access to external services and, if necessary, blocks them if they do not comply with the policy configured in the application firewall.

Application security, however, starts with the development of the software. Application programmers should follow best practices and stop using proven insecure code and vulnerability-prone programming constructs to prevent vulnerabilities from occurring in the first place. Timely patch management also plays a very important role throughout the application lifecycle (see Myth 5).

Myth 2: Penetration testing is enough, the application is secure

Most IT specialists believe that a successfully completed penetration test almost guarantees the security of an application. This is true for simple apps, but not for complex applications that contain a lot of business and process logic. Complex applications with many stakeholders cannot even be fully tested by penetration testing. Development, procurement or release processes involving multiple business units should therefore definitely go through additional security measures. NTT Security recommends using software maturity models, such as OpenSAMM, to help organizations build a security strategy for business-critical applications that is aligned with their business model.

Self-developed applications require special attention. One example: More than 70 percent of SAP functionalities are programmed by customers themselves. However, the manufacturer does not provide any security guarantee for in-house developments. The security measures established with the help of maturity models such as OpenSAMM are therefore particularly important for in-house software for which the customer is responsible.

Myth 3: Security tools do the job, then cyber attackers don't stand a chance

Many companies rely too much on their security tools, for example patching or configuration management. Tools are important, but only half the battle. In IT today, everything is networked with everything else. But the individual business units don't talk to each other enough. Security experts who pay attention to a holistic security strategy should be at the table for every new implementation and every important decision. Otherwise, each department will use its own tools in an uncoordinated manner, and in the end there will be many disappointed faces when a security incident occurs.

Myth 4: Every employee is responsible for their own safety

The most dangerous weak point in companies is their own employees, security experts emphasize. It is therefore important to create risk awareness among employees through regular training and to inform them about the current attack vectors. Training does not rule out the possibility of cybercriminals gaining access to sensitive data through social engineering techniques such as personalized phishing emails, but it does increase awareness and reduce risk. The key is to think twice about every click on a mail attachment and use common sense.

Myth 5: Security patches take hours to apply and systems are unusable

On average, vulnerable, unpatched applications remain online for several hundred days, even though vulnerabilities are known and cybercriminals could launch an attack at any time. The biggest security leak for applications is unpatched libraries, according to the Application Security Statistics Report 2018 (Vol. 13) by WhiteHat, a subsidiary of NTT Security. The reason for this negligent behavior is the common misconception in many companies that IT systems fail and are unusable when security patches are applied: Customers may not be able to access ordering systems, employees are twiddling their thumbs, and the company loses revenue as a result.

This assumption is wrong. Today, security patches can either be applied during operation or only require individual components to be shut down for a short time. Another alternative is to use the nightly maintenance window for the patches.

Myth 6: Once you've been hacked, there's nothing you can do about it

Easier said than done: In the event of an attack, companies should definitely remain calm and not cause more damage through ill-considered knee-jerk reactions. There are companies that have pulled the power plug after an attack and thus destroyed the hard disk controllers. It was no longer possible for forensic experts to reconstruct the attack and identify the attack vectors in retrospect. The goal should be to gather as much evidence and data as possible and seek the help of professional security experts as soon as possible.

Conclusion: Safety depends on many factors

A single, successfully completed penetration test is not enough to ensure application security. This is a negligent misconception. To my knowledge, there is no penetration test that does not reveal one or two critical vulnerabilities. It is therefore recommended to use maturity models for application security such as OpenSAMM as a guideline. Often, security patches are not applied because then supposedly business-critical systems such as production or sales are down for a certain time. Companies thus take an incalculably high risk. However, patches can also be applied during operation. Many of our customers do this, avoid the downtime and it works very well.

Author:
René Bader is Lead Consultant Secure Business Applications EMEA at NTT Security.