Subscribe

Application security exposes businesses

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 18 May 2016
Most organisations lack secure coding knowledge, says Helen Bravo, head of product management at Checkmarx.
Most organisations lack secure coding knowledge, says Helen Bravo, head of product management at Checkmarx.

Businesses are falling victim to breaches mostly because they are neglecting application security.

That was the word from Helen Bravo, head of product management at Israeli-based cyber security firm Checkmarx, speaking yesterday at ITWeb Security Summit 2016.

Citing a Gartner report, Bravo said 80% of successful cyber security attacks target the application layer. She added that according to the Web Application Security Consortium, 86% of the organisations surveyed were found to have medium or higher severity vulnerabilities on their application layer.

"In a recent survey of chief information security officers, when asked about what are the main areas of risks in their organisations, 51% pointed to application security, followed by 36% who said infrastructure security," said Bravo.

She noted that the main reason why the application layer is left so vulnerable in most organisations is because most of these companies lack secure coding knowledge.

The other reason is because security managers are outnumbered by developers. "In most cases, you would find one security manager in charge of lots of developers and the task of ensuring everything is secure becomes difficult."

To mitigate this challenge, Bravo urged organisations to streamline their operations between the development team and the management.

"You also need buy-in from the development team by making sure that the developers are happy to use the platform that you chose."

The other predicament, she said, is that most organisations lack adequate security budgets to deal with vulnerabilities.

She urged organisations to fix security bugs as early as possible, noting that on average it costs about $80 to fix a bug in an application when it is still in the development phase. "Be effective and fix your vulnerabilities here. Organisations must also treat code vulnerabilities like bugs."

According to Bravo, it costs about $240 to fix a bug in an application when it is in the building phase. The amount goes up to $960 when a bug is found during the quality assurance and testing stage, and it will escalate to $7 6000 when the application is in production.

Share