Losses, not prevention, drive application security investments
Although organisations are concerned that they will be hacked through an application, they are not investing in prevention.
This was one of the findings of the 2018 Global Study on Application Security, sponsored by Arxan Technologies, and independently conducted by the Ponemon Institute.
The report surveyed 1 399 IT and IT security practitioners in the US, Europe and Asia-Pacific, to get a better idea of the risks posed by unprotected applications when running in unsecured environments, and what businesses are doing to address those risks.
The report indicated that application breaches are on the rise, as are the risks of running business-critical apps in zero-trust environments. However, organisations only make adequate investments in application security measures after a breach has happened, and resulted in loss of productivity, customer trust and revenue.
Nearly two-thirds (64%) of respondents said they are either 'concerned' or 'very concerned' that they will be breached through an application, and 54% think the severity of threats will increase this year. But only 25% of respondents said their businesses are making significant investments in solutions to prevent attacks.
"This is a big deal, it's not pocket change. The average data breach costs almost $4 million, when you include lost customers, the impact to operations, and your insurance costs going up," says Rusty Carter, VP of product management at Arxan. "Companies have to change the way they think about investing in app security because threats are only getting worse."
Lack of visibility
He says that, without visibility into the application threat landscape, organisations lack the intelligence to thoroughly secure customer-facing applications. "The reality facing organisations is a lack of visibility and understanding of what is happening in their environment," Carter adds.
Less than a quarter (23%) of those surveyed said they knew with certainty that their company had experienced a material breach caused by a compromised application. Another 51% thought a breach was likely but lacked the visibility of their 'apps in the wild' to fully understand the situation.
The report also revealed that non-IT and IT management have different views on the importance of security. Fifty-six percent of IT management respondents believe that performance and speed are equally as important as security. However, 48% of non-IT management respondents say performance and speed are more important.
"It's disturbing that so many companies acknowledge the increasing risk of application attacks, yet they are doing very little to prevent breaches from occurring," adds Joe Sander, CEO of Arxan. "It's backward thinking and it puts customers at significant risk. It's crucial to place security investments where attacks are happening."
Ignorant of the risks
Ilia Kolochenko, CEO of web security company High-Tech Bridge, says the report simply confirms a long-standing ignorance of application security and compliance risks. "Nowadays, applications are everywhere and usually the applications handle the most critical business data, including financial information, personally identifiable information and health records."
He says regulations, such as the impending GDPR, endeavour to fix the problem, but many reports claim that the overwhelming majority of companies are not yet prepared and are unlikely to be compliant this year.
"One of the biggest application security problems is lack of a coherent and risk-based application security strategy. Many large companies don't even have an up-to-date list of their external applications and micro services, let alone the foggiest idea about their internal legacy and shadow apps," Kolochenko adds.
They spend, without real thought or strategy, on a slew of solutions and services from various vendors, alternately blaming vulnerability scanners, penetration testers and bug bounties, he says. "The first step of any application security strategy should start with a comprehensive and actionable inventory of corporate applications. Otherwise, no application security technology will ever help. You cannot protect what you don't know."