Automating application security will ensure that your digital plans do not go haywire
Businesses are embracing digital transformation to engage with customers, and a key aspect of this development is the use of mobile and Internet applications. Consumers too have shown increased preference for these applications with increased adoption and usage. According to a recent Nielsen survey, consumers spend about 37 hours per month on their devices and use over 20 different applications. This has spurred the rise of many application development entities. Often, these entities engage with businesses for third-party application development. This trend is undermining organizations’ ability to ensure the security of not only their third-party applications, but also the data and systems on the network.
According to VentureBeat, mobile applications are already a USD 40 billion industry that can grow to USD 70 billion by 2017. This includes organizations that do have internal application development capabilities. Nevertheless, whether development is outsourced to third parties or taking place internally, resources have a fickle relationship with the internal IT and security teams. The result is often a massive security outage. This has led some businesses to think that migrating applications to the cloud will mitigate the security risk. However, outsourcing the security of the application to the cloud company does not reduce or eliminate the challenges to security. While cloud providers do offer some basic security services as an add-on, these services are ineffective to serve the security needs of an application. This invariably results in businesses investing in various tools to oversee their applications, which in most cases are beyond their sphere of control.
Slow, ineffective tools
Digital transformation is a game changer. The opportunities to experiment are many, and so are the pitfalls. Traditional tools and processes are ineffective against the evolving security changes and application requirements. The need is for dynamic tools for dynamic environments. According to a Radware research finding, nearly half of the businesses surveyed employed frequent manual adjustments to security policies. This in itself is a compliance risk. Traditional vulnerability and application scanning solutions typically take hours or even an entire day to complete a scan depending on the complexity of the application. Code review tools also take significant time to complete the task. Imagine deploying these tools in organizations that often manage dozens of applications—each of which can change frequently in day! Managing multiple applications with manually driven tools is a recipe for disaster.
Using automation to mitigate risks
Automation holds a great deal of promise to help alleviate the strain involved in securing numerous applications. However, in most cases, products bought for automating key security steps end up being a mute spectator: they are used in a passive, alert-only mode. The product is used to invariably feed an endless stream of events into a SIEM for security personnel to assess, prioritize and assign for remediation. Even then, the security personnel lack the skill or application security expertise; some do not even understand working of an application. According to a Gartner research, only about 5% of typical security teams are true application security experts. This lack of skill or expertise makes the personnel incapable to handle issues or even keep up with the pace of alerts. Automation does help, yes, but then it does not need to have manual overrides in each phase of a process.
Automating application security
There is a need to implement more automation around application security. This translates to embedding of security capabilities into the application code itself—referred to as Runtime Application Self-Protection (RASP). While a promising area of security technology, RASP solutions are emerging technologies as their effectiveness and impact on application performance are yet to be fully understood. On the other hand, the Web Application Firewall (WAF) remains a purpose-built application security tool. The more advanced WAFs leverage automation capabilities to improve security and streamline operations.
WAFs are preferable because they offer automated policy generation, a feature that analyzes the protected application, generates granular protection rules and applies security policies. It speeds response time and offers maximum-security coverage without administrative effort. Another area where advanced WAFs are applying automation capabilities is in how they detect and respond to vulnerabilities in new or modified applications. Although most WAFs in the market offer various levels of integration with different security technologies, most of these integrations stop short of automatically implementing new policies in response to identified vulnerabilities. Additionally, the integrations take a long time to perform full scans, often leading to outdated results that invariably demand a manual deployment of policies.
It is in this context of inadequate WAF performance, products that enable focused scans on application zones and use scan results for immediate virtual patching against the detected vulnerabilities, become imperative. Typically, a solution should use Auto Policy Generation to map the protected application (all hosts, folders, files, parameters and cookies) and analyze the traffic to determine potential threats.
Smartphones, on-demand services and conveniences have spurred consumers to download apps on a massive scale. Our survey reveals that people download apps in a leap of faith, trusting the ability of organizations to protect identify, safeguard information, and process requests quickly. Given the propensity for the use of apps, consumers (54%) are willing to stop using apps of insecure organizations and start using those of the competition. It is, therefore, important for businesses to consider the insights into consumer trade-offs for convenience vs. security, to secure their digital business and take it forward.
(The author is Managing Director - INDIA & SAARC, Radware)