Application Security

10/11/2016
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Businesses Sacrifice Security To Get Apps Released Faster

As the app economy continues to drive change in IT security, businesses struggle to meet customer demands while keeping their data secure.

Strong security is essential in an application-centric world, but new research shows businesses are sacrificing security in order to improve speed-to-market for their app offerings.

This was one of the findings discovered in a new report, "The Security Imperative: Driving Business Growth In The App Economy," conducted by Coleman Parkes and commissioned by CA Technologies.

Researchers surveyed 1,770 senior business and IT executives, including more than 100 CSOs and CISOs, to investigate how their security operations affect business performance. 

Results indicate businesses view IT security as a business enabler but struggle to deliver stronger protection under the pressure of the app economy. Sixty-eight percent of respondents admit they compromise on security to get apps to market faster.

This is a tremendous risk. Managing user identities across thousands of apps, systems, devices, and platforms requires organizations to increase the complexity of their security practices, not cut corners. 

The app economy is creating new cybersecurity challenges for IT leaders operating in a multi-channel, multi-platform world. Customers expect rapid and secure experiences from any device, and will take their business elsewhere if security is burdensome or data is jeopardized. 

The rise of mobile and cloud has opened up new opportunities to drive the app economy, explains Nick Nikols, SVP and CTO for cybersecurity at CA Technologies. However, it also changes the security dynamic. What happens to traditional security approaches, like hiding behind a firewall, when data can be located anywhere?

"How do you secure something that is much more 'out there,' and not entirely under your control as much as it once was?" says Nikols of protecting cloud-based data. When information can be stored anywhere, businesses can't rely on traditional approaches to security.

It's time for businesses to think outside these approaches as they pursue new opportunities in this environment.

"You can't define a rigid perimeter and put defenses outside the perimeter," he continues. "You can't think of everyone on the outside as being bad and everyone on the inside as being good."

This is where identity-centric security comes into play. "We need something in addition to network security and endpoint security," says Nikols. "We need a more logical understanding of the nature of the [user] relationship."

The identity-centric approach uses behavioral analytics and predictive strategies to ensure identities are valid without sacrificing the customer experience. It's a more dynamic approach to security, Nikols explains. Risk is assessed via user behavior, and people may be asked for additional proof of ID to ensure they are who they claim to be.

However, he notes it's difficult to improve app security when the competition to deliver is fierce. "People are starting to recognize the need [for greater security], but we're quick to move to delivering new services and treat security as an afterthought," Nikols says.

As the app economy and its related challenges continue to evolve, how can businesses boost security while maintaining a strong customer or user experience?

Nikols advises creating a closer relationship between the DevOps and security teams so security is integrated into the development process and not tacked onto the end. If the security team is solely focused on hardening the perimeter or checking for vulnerabilities, their skills aren't being used to integrate security into the app.

If the security team isn't part of the development process, he continues, the overall rollout is delayed or the app is exposed to greater risk. Refusing to bring the two teams together will cause challenges.

"If we make [security] part and parcel of the DevOps process, it can help to actually save time," he says. "The app will be secure from the get-go, and you won't have to spend time securing an app you already built."

Many businesses have begun to use external business metrics to measure the effectiveness of IT security. These include factors like employee productivity, employee recruitment and retention, competitive differentiation, digital reach, and business growth.  

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18643
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
CVE-2018-19359
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
CVE-2019-11488
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
CVE-2019-11489
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
CVE-2019-3720
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...