Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/11/2016
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Businesses Sacrifice Security To Get Apps Released Faster

As the app economy continues to drive change in IT security, businesses struggle to meet customer demands while keeping their data secure.

Strong security is essential in an application-centric world, but new research shows businesses are sacrificing security in order to improve speed-to-market for their app offerings.

This was one of the findings discovered in a new report, "The Security Imperative: Driving Business Growth In The App Economy," conducted by Coleman Parkes and commissioned by CA Technologies.

Researchers surveyed 1,770 senior business and IT executives, including more than 100 CSOs and CISOs, to investigate how their security operations affect business performance. 

Results indicate businesses view IT security as a business enabler but struggle to deliver stronger protection under the pressure of the app economy. Sixty-eight percent of respondents admit they compromise on security to get apps to market faster.

This is a tremendous risk. Managing user identities across thousands of apps, systems, devices, and platforms requires organizations to increase the complexity of their security practices, not cut corners. 

The app economy is creating new cybersecurity challenges for IT leaders operating in a multi-channel, multi-platform world. Customers expect rapid and secure experiences from any device, and will take their business elsewhere if security is burdensome or data is jeopardized. 

The rise of mobile and cloud has opened up new opportunities to drive the app economy, explains Nick Nikols, SVP and CTO for cybersecurity at CA Technologies. However, it also changes the security dynamic. What happens to traditional security approaches, like hiding behind a firewall, when data can be located anywhere?

"How do you secure something that is much more 'out there,' and not entirely under your control as much as it once was?" says Nikols of protecting cloud-based data. When information can be stored anywhere, businesses can't rely on traditional approaches to security.

It's time for businesses to think outside these approaches as they pursue new opportunities in this environment.

"You can't define a rigid perimeter and put defenses outside the perimeter," he continues. "You can't think of everyone on the outside as being bad and everyone on the inside as being good."

This is where identity-centric security comes into play. "We need something in addition to network security and endpoint security," says Nikols. "We need a more logical understanding of the nature of the [user] relationship."

The identity-centric approach uses behavioral analytics and predictive strategies to ensure identities are valid without sacrificing the customer experience. It's a more dynamic approach to security, Nikols explains. Risk is assessed via user behavior, and people may be asked for additional proof of ID to ensure they are who they claim to be.

However, he notes it's difficult to improve app security when the competition to deliver is fierce. "People are starting to recognize the need [for greater security], but we're quick to move to delivering new services and treat security as an afterthought," Nikols says.

As the app economy and its related challenges continue to evolve, how can businesses boost security while maintaining a strong customer or user experience?

Nikols advises creating a closer relationship between the DevOps and security teams so security is integrated into the development process and not tacked onto the end. If the security team is solely focused on hardening the perimeter or checking for vulnerabilities, their skills aren't being used to integrate security into the app.

If the security team isn't part of the development process, he continues, the overall rollout is delayed or the app is exposed to greater risk. Refusing to bring the two teams together will cause challenges.

"If we make [security] part and parcel of the DevOps process, it can help to actually save time," he says. "The app will be secure from the get-go, and you won't have to spend time securing an app you already built."

Many businesses have begun to use external business metrics to measure the effectiveness of IT security. These include factors like employee productivity, employee recruitment and retention, competitive differentiation, digital reach, and business growth.  

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10696
PUBLISHED: 2020-03-31
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
CVE-2020-5344
PUBLISHED: 2020-03-31
Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70.70.70, 4.00.00.00 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially cr...
CVE-2020-5292
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
CVE-2020-7009
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2019-13495
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.