As operating systems become increasingly attack-resistant, cyber criminals are moving up the stack, and yet relatively few UK organisations are planning application security projects, a survey shows.
Only 26.1% of IT professionals polled by TechTarget at 200 UK organisations said they planned to implement application security initiatives in 2012.
While this is worrying because the constant need for agility in software development has left most businesses with application source code that is vulnerable to exploitation by hackers, industry commentators claim there are several reasons this statistic is not all that surprising.
First, many organisations have tackled this problem already.
Dani Briscoe, research services manager of The Corporate IT Forum confirms that members are seeing an increasing number of threats at the application level, but many are approaching it through payment card industry data security standard (PCI DSS) projects. “The majority already have this or solutions to manage it in place, hence there are not many strategies new for 2012,” she said.
It is PCI DSS, however, that is in part responsible for some companies opting for application firewalls instead of investing in static and dynamic scanning of applications, according to Daniel Kennedy, research director at 451 Research, a division of The 451 Group.
“The false dichotomy of these sets of approaches, scanning the code or product front end versus putting a web application firewall in front of the application, was largely created by the PCI standard on application security, which presented both options as an either or,” he said.
Another reason application security is not more mainstream, said Kennedy, is that talk in the industry is well out in front of actual practice within enterprises.
“Doing application security properly is difficult, it involves enacting an additional discipline and additional activities within the development lifecycle, a lifecycle in most enterprises that is time constrained to the extreme as it is,” he said.
Another reason application security is taking a back seat is that many organisations are playing catch-up to get their perimeter defences up to scratch.
Despite the growing threat of application-level attacks, Mark Brown, chief information security officer at SAB Miller points out that in the vast majority of recent breaches, the attack surface and method has been effected using simple, and often glaring mistakes in basic levels of IT security.
“The attackers know that many businesses for years have not focussed, nor invested sufficiently on the need for highly effective perimeter security controls,” he said.
With limited budgets, it is often a case of providing security protection in alignment with a maturity model, starting with the basics and then advancing up the capability curve, said Brown.
Only once a sense of security has been achieved in the network perimeter, he said, will a move to focus on application security be achieved.