Most people think that IT security professionals spend most of their time thwarting external threats from hackers, cybercriminals and bad actors from the Dark Web. In fact, infosec pros find the biggest time suck coming from addressing security vulnerabilities introduced by applications developed in-house or even from off-the-shelf purchases. In fact, as a survey of attendees at this summer’s Black Hat conference indicates, “Most enterprises are not spending their time, budget and staffing resources on the problems that most security-savvy professionals consider to be the greatest threats.”
While the threat of targeted attacks is something that most IT professionals fear, most of their time is spent addressing application vulnerabilities. Many professionals understand that they live in a world of “when, not if” there will be an external attack, but their day-to-day demands don’t allow them to address the myriad ways that they could be compromised.
The survey reported that, “More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35 percent) and vulnerabilities introduced by off-the-shelf software (33 percent). The data suggests that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.”
Application security leaves a lot to be desired
“Every piece of software has vulnerabilities, and a lot of those vulnerabilities have never been tested,” says Chris Eng, vice president of research at Veracode. The end result is that security teams focus more on application weaknesses than they do on sophisticated targeted attacks, accidental end user data leaks, polymorphic malware and phishing attacks.
Addressing application vulnerabilities is so time consuming, Eng says. “Because of the hundreds and thousands of applications running on the network. For example, many banks use legacy software which was created over 10 years ago when there was no talk of security,” he says. As more enterprises rely on a greater number of applications, their environments become more vulnerable.
Running older software is only one piece of the problem compounded by running multiple applications because, “A lot of products haven’t done application security at all,” says Eng.
“To test all Web applications,” Eng says, “would mean taking something and making the site do what it’s not supposed to do. Historically enterprises have used pen testers, which means test for two weeks, report, fix, repeat. Fixing means adding new features, but multiply that by the thousands of applications running. How many consultants do you need?”
Automation is your friend
A key take-away from Black Hat attendees: “Security pros are not spending their time and budget in a manner that is commensurate with their concerns about current threats. While issues such as compliance and application security take a significant amount of their time, they need greater leeway to focus on emerging threats such as targeted attacks and social engineering exploits that pose the greatest danger to their organizations.”
A solution to the time-consuming task of addressing security vulnerabilities is baking automation into the security development lifecycle. “Automation can run a test every night,” Eng says. Rather than spending time working with developers to fix holes in applications that have identified vulnerabilities, IT professionals can run automated security tests on all of their applications.
“By empowering all of your different developments to use the same platform to self-test, it reduces the single point of failure,” Eng says. Automation allows enterprises to better understand the risks that are introduced in both their own applications and off-the-shelf purchases of applications or systems.
Due to the scope and scale of the problem, Eng says, “If you aren’t looking at everything, then you might as well be looking at nothing.” To choose the 10–50 applications they want to test and then fix them does little to address the entire scope of vulnerabilities that are going undetected. The bottom line, says Eng, is that “any mistakes the developers make, the company’s development operations are going to make as well.”
According to Eng, automation “allows enterprises to understand the risks that are coming in. It helps companies scale security programs, provides visibility and sets policies because you want an understanding of the security posture of everything you are purchasing.”
The criminal needs only one point of entry to successfully infiltrate a network, but the more visibility an enterprise has, the more they can safeguard their environments. “Automation can’t find everything, but it gives you a way to make sure developers are thinking about this every day,” Eng says.
This story, "It’s 10 o'clock – do you know what your IT security team is doing?" was originally published by CIO.