Risk
3/12/2012
05:24 PM
Connect Directly
RSS
E-Mail
50%
50%

4 More Application Security Strategies For SMBs

Don't have the time, staff, or budget to go all-in on application security? Read this expert's take on how and what to prioritize.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Strong security practices don't have to be an all-or-nothing proposition. Sometimes, staying secure simply means you're good at prioritizing.

That's particularly true for application security. Not all applications are equal in terms of complexity or importance to your company. With that in mind, some small and midsize businesses (SMBs) are better suited to spend their time and money safeguarding critical applications while taking a laissez-faire approach in areas that have less at stake. In fact, acknowledging limits and working within them can become an advantage, according to George Baker, director of information security at Exostar.

"Resources--time, people, and financial--will be limited, but an SMB’s advantage in competing with larger organizations is your agility and ability to adapt," Baker said.

Like his peer Yaron Baitch over at midmarket retailer Bob's Stores, Baker's 100-person firm places a heavy emphasis on security because it's crucial to the bottom line--albeit for quite different reasons. Exostar provides enterprise application integration and collaboration services, and its customers include very large companies. A breach would be very costly both in terms of real dollars and reputation value.

[ Is your network hosting a bring-your-own-device party without your knowledge? See 4 BYOD Security Strategies For Small Business. ]

Also like Baitch, Baker sees some common ground for SMBs when it comes to application security; the two recently shared a panel at RSA. For example, outsourcing certain skills or needs isn't something to shy away from when it provides the best bang for your buck. Yet the pair calls attention to another SMB truism: No two companies are quite alike. SMBs, especially, can differ wildly in terms of security goals and needs. In a combination of phone and email interviews, Baker shared his own advice for how other SMBs can better address application security when there are many other areas competing for resources.

1. Don't be intimidated. SMBs that approach security with a defeatist attitude are, simply put, much likelier targets for hackers and other threats. If you don't think you can achieve real security, you won't.

"You may feel as though you are at the base of the mountain, but just focus on taking your first step. Then, take another," Baker said. "Before you realize it, you’ll be scaling that mountain."

2. Build a business case. Security threats are tough enough--don't add to the challenge by butting heads with the rest of the business. Build a solid case that stakeholders can understand and buy into; then you'll have the backing you need to succeed.

"Map out the cost to execute your plan for the first quarter, the first year, and the next several years. At the same time, identify the cost of not securing those apps, in terms of hard (dollars lost) and soft (reputation or customers lost) dollars," Baker said. "Make it easy for executives to weigh the go/no-go decision."

3. Prioritize. Baker believes a good plan is comprehensive enough to secure everything over time, but pragmatic enough to allow for a reality that you might never reach that 100% bar. To do so, start with the simple recognition that some applications are more important to your business than others and make a list. Don't be too concerned with what other companies are doing; worry about what's actually important to your business.

"Rank all of your apps and start with those with the highest priority," Baker said. "Priority can be a function of app importance, app vulnerability, and anticipated cost, time, and ease to secure."

4. Start with quick wins. Sometimes, the process of ranking priorities can itself feel like more than your SMB can handle. Baker advises starting with the quick wins. Among other reasons, these give you tangible results to show executive management that security isn't a theoretical practice. Baker's top candidates include public-facing websites, collaboration applications (email, IM, and so forth), financial information, and any applications developed in-house.

InformationWeek is conducting a survey to determine the types of measures and policies IT is taking to ensure the security of the full range of mobile assets on cellular, Wi-Fi, and other wireless technologies. Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our Mobile Security Survey now. Survey ends March 16.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.