Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/11/2016
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Businesses Sacrifice Security To Get Apps Released Faster

As the app economy continues to drive change in IT security, businesses struggle to meet customer demands while keeping their data secure.

Strong security is essential in an application-centric world, but new research shows businesses are sacrificing security in order to improve speed-to-market for their app offerings.

This was one of the findings discovered in a new report, "The Security Imperative: Driving Business Growth In The App Economy," conducted by Coleman Parkes and commissioned by CA Technologies.

Researchers surveyed 1,770 senior business and IT executives, including more than 100 CSOs and CISOs, to investigate how their security operations affect business performance. 

Results indicate businesses view IT security as a business enabler but struggle to deliver stronger protection under the pressure of the app economy. Sixty-eight percent of respondents admit they compromise on security to get apps to market faster.

This is a tremendous risk. Managing user identities across thousands of apps, systems, devices, and platforms requires organizations to increase the complexity of their security practices, not cut corners. 

The app economy is creating new cybersecurity challenges for IT leaders operating in a multi-channel, multi-platform world. Customers expect rapid and secure experiences from any device, and will take their business elsewhere if security is burdensome or data is jeopardized. 

The rise of mobile and cloud has opened up new opportunities to drive the app economy, explains Nick Nikols, SVP and CTO for cybersecurity at CA Technologies. However, it also changes the security dynamic. What happens to traditional security approaches, like hiding behind a firewall, when data can be located anywhere?

"How do you secure something that is much more 'out there,' and not entirely under your control as much as it once was?" says Nikols of protecting cloud-based data. When information can be stored anywhere, businesses can't rely on traditional approaches to security.

It's time for businesses to think outside these approaches as they pursue new opportunities in this environment.

"You can't define a rigid perimeter and put defenses outside the perimeter," he continues. "You can't think of everyone on the outside as being bad and everyone on the inside as being good."

This is where identity-centric security comes into play. "We need something in addition to network security and endpoint security," says Nikols. "We need a more logical understanding of the nature of the [user] relationship."

The identity-centric approach uses behavioral analytics and predictive strategies to ensure identities are valid without sacrificing the customer experience. It's a more dynamic approach to security, Nikols explains. Risk is assessed via user behavior, and people may be asked for additional proof of ID to ensure they are who they claim to be.

However, he notes it's difficult to improve app security when the competition to deliver is fierce. "People are starting to recognize the need [for greater security], but we're quick to move to delivering new services and treat security as an afterthought," Nikols says.

As the app economy and its related challenges continue to evolve, how can businesses boost security while maintaining a strong customer or user experience?

Nikols advises creating a closer relationship between the DevOps and security teams so security is integrated into the development process and not tacked onto the end. If the security team is solely focused on hardening the perimeter or checking for vulnerabilities, their skills aren't being used to integrate security into the app.

If the security team isn't part of the development process, he continues, the overall rollout is delayed or the app is exposed to greater risk. Refusing to bring the two teams together will cause challenges.

"If we make [security] part and parcel of the DevOps process, it can help to actually save time," he says. "The app will be secure from the get-go, and you won't have to spend time securing an app you already built."

Many businesses have begun to use external business metrics to measure the effectiveness of IT security. These include factors like employee productivity, employee recruitment and retention, competitive differentiation, digital reach, and business growth.  

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...