Why the state of application security is not so healthy

Web applications are often a common portal for breaches, so why aren't they being better protected?

Application security is an alarming and persistent problem: Nearly one-third of all breaches can be attributed to attacks against web applications, and both web application and database attacks account for most records breached every year. That's according to the Verizon 2013 Data Breach Investigations Report, which looked at 47,000 reported security incidents and 621 confirmed data breaches during the year prior to the report.

Web applications – because they are so easy to exploit and provide access into enterprise data – have long been top targets of attackers. That's why it's so surprising, or at least disappointing, that so many organizations pay application security such little attention.

For instance, our 2012 Global Information Security Survey, which was conducted by CSO and CIO magazines and PricewaterhouseCoopers and asked 12,052 business and technology executives about their organizations' security efforts. The survey found that only 35 percent of those questioned actually include application security in their internal security policies.

[10 steps to secure browsing]

Fortunately, not every company is so lax. Consider Menlo Park, CA-based medical image sharing startup Image32. Founded in 2011, Image32 aims to help ease patient and doctor pain when it comes to sharing medical images such as X-Rays, CT Scans, and MRIs. "If all of your care takes place within the same hospital building, sharing these images among doctors is typically no trouble at all," says Image32 founder and CEO Bob Pellican. "However, because of security concerns, once a patient goes to another medical building, they will most likely need to copy all of their images to a CD or DVD and carry them around from specialist to specialist," he says.

That's not only a hassle for patients, it's also a hassle – and a costly one ndash; for the doctors offices that must contend with dozens of such discs every day. These discs can take about five minutes to load, and significantly slow down patient care.

Image32's software, which promises to help patients and doctors ease that workflow by storing and sharing medical images in a cloud service obviously needs to be secure, and must meet certain regulatory mandates ndash; but rather than force security onto their product as may be demanded one day ndash; the company decided from the start that it would begin development with application security in front of mind.

That proved to be a wise move. "We've already had a number of customers who have asked us about our security reviews and our alignment with HIPAA regulations," Pellican says. Fortunately image32 already had the ability in place to validate their secure application development processes.

An important part of that capability came from secure application lifecycle management software provider SD Elements. SD Elements software helps to guide developers through the secure coding process and to identify and eliminate a significant number of vulnerabilities very early in the development process.

According to SD Elements vice president Rohit Sethi, their software helps developers establish relevant security requirements for the applications they're building, and then throughout the development process guide developers to meet those requirements, and also identify and remedy software vulnerabilities as they arise. The software also provides a dashboard that helps auditors to verify that an application meets security and privacy requirements.

Pellican says identifying vulnerabilities early in the development process helped integrate security controls right into the development of their application, and likely saved from having to fix flaws later in the application building process. "We were able to tag flaws that were identified, then prioritize and schedule to have them fixed," he explains.

"Anything that can be done to catch application flaws earlier in the process, even at the application design phase, is going to reduce costs and improve security," says Spire Security research director Pete Lindstrom. "This is also catching developer mistakes in real-time, so there's likely a training benefit over time," says Lindstrom.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.