application security

eGuideIn this eGuide

Application Security

Improve Application Security Practices

Third-party Apps Ripe Targets for Cybercriminals

Etsy, Ecommerce and Application Security

Is Application Security the Hole in Your Defense?

Massive Enterprise Software Insecurity

Radically Better Security

Enterprises around the world are facing what could be called the most aggressive threat environment in the history of information technology. Disruptive computing trends are emerging that offer increased employee productivity and business agility, but at the same time introduce a host of new risks and uncertainty. Applications are no exception – the ways that developers create the programs that support the business are always evolving, but security measures to protect these new applications struggle to keep up. When it comes to commercial applications, patching security holes is a must – yet so often these holes are left unplugged and vulnerabilities find their way into the corporate network.

In this eGuide, CIO and sister publications CSO and InfoWorld bring you news, opinions, research and advice regarding the risks that enterprises face from lackluster application security, and steps that can be taken to improve IT defenses. Read on to learn more about application security trends and approaches for today’s insecure world.

Resources

How to Improve Your Application Security PracticesThe number of serious vulnerabilities in applica-tions are declining, but they are still common. Improving your application security posture requires determin-ing whether you’re a target of opportunity or a target of choice and understanding your development lifecycle

Is Application Secu-rity the Glaring Hole in Your Defense? Organizations on average spend one-tenth as much on application security as they do on network security, even though SQL injection attacks are the highest root cause of data breaches. Experts say educating devel-opers in writing secure code is the answer


86% of all vulnerabilities in 2012 pinned to non-Microsoft apps

3 Questions: Etsy, Ecommerce and Application Security

Dinis Cruz on what we do, and don’t, know about web security practices

Survey Raises Specter of Massive Enterprise Software Insecurity

Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components

The Two Steps to Radically Better Security

Stop wasting your money and do computer secu-rity right with two common-sense practices

Application Security Resources

Tips and tools to help make your critical applications more secure

Sponsored by

http://www.hp.com

http://www.cio.com

2 of 16

Application Security eGuide







Resources

How to Improve Your Application Security PracticesBy Thor Olavsrud • CIO

Organizations talk a good game when it comes to security,

but many still focus the majority of their security resources

on the network rather than their applications--the vector

for most data breaches. Many organizations dedicate less

than 10 percent of their IT security budget to applica-

tion security, according to a study by research firm the

Ponemon Institute, released in 2012.

The reasons for this gap are multifaceted, says Jere-

miah Grossman, founder and CTO of WhiteHat Security,

provider of a continuous vulnerability assessment and

management service for thousands of Web sites, includ-

ing the Web sites of dozens of Fortune 500 companies.

First, he says, many security professionals have a blind

spot for software.

“Most of the security guys out there are not software

people,” he says. “They come from an IT background. All

they really know how to do is protect the network.”

Second, regulatory compliance and the cruft that

comes with regulations based on past threats also play a

role in Grossman’s view. “Organizations must comply,” he

says. “They spend the lion’s share of their budget first on

firewalls and antivirus because the compliance regulators

mandate it.”

Prioritizing Application Security Is a ChallengeIt is often difficult for the organization to prioritize applica-

tion security over revenue-generating development work,

he says. Even when organizations identify serious vulner-

abilities in their Web sites, it’s not necessarily a simple

decision to fix them.

“The organization has to fix it themselves,” he says.

“The business has to decide: ‘Do we create revenue-gen-

erating features this week? If we don’t deliver those fea-

How To

Improving your application security posture requires determining whether you’re a target of opportunity or a target of choice and understanding your develop-ment lifecycle

http://www.cio.com

3 of 16








Resources

tures on time or at all, we will for a fact lose money. Not

fixing the vulnerability may potentially cost the business

money.’ They have to make a decision.”

Application Vulnerabilities on the DeclineEven with these challenges, Grossman says the applica-

tion security landscape shows signs of improvement. While

2011 was dubbed the Year of the Breach—based on a mul-

titude of high-profile breaches of companies like RSA, Sony,

Facebook and Citigroup, not to mention the CIA and FBI—

2011 was also a year in which the average number of seri-

ous vulnerabilities in Web sites showed a marked decline.

For 12 years, WhiteHat has put together its WhiteHat

Security Website Security Statistics Report based on the

vulnerabilities it finds in the Web sites it assesses. The

2011 installment, based on the examination of critical

vulnerabilities from 7,000 Web sites across major vertical

markets, found an average of 79 serious vulnerabilities

per Web site, a drastic reduction from the average of 230

it found in 2010 and 1,111 it found in 2007.

“These are real-world Web sites,” Grossman says. “I

would guarantee that you have accounts and data in

many of the sites we test.”

Of course, that single statistic doesn’t tell the whole

story. While the average came in at 79 serious vulner-

abilities, the standard deviation was 670: Some Web

sites expose a lot more vulnerabilities than others. Also,

according to Netcraft, there are roughly 700 million Web

sites on the Internet and tens of millions more are coming

online each month. While it’s a large sample, 7,000 Web

sites is just a tiny fraction of the whole.

Still, WhiteHat’s findings paint a picture of the state of

Web site security today; a picture in which Web site security

is slowly improving. The banking vertical continued to show

its dedication to security: Banking Web sites again pos-

sessed the fewest serious vulnerabilities of any industry with

an average of 17 serious vulnerabilities per Web site. Bank-

ing also had the highest remediation rate of any industry at

74 percent. Every industry, with the notable exceptions of

healthcare and insurance, showed improvement from 2010.

Additionally, time-to-fix showed vast improvement,

dropping to an average of 38 days-much shorter than the

average of 116 days in 2010. “The developers know that

38 days is actually a really, really good number because

they know how long it does take,” Grossman says. “But to

the end users, 38 days is unacceptable.”

Steps to Improve Your Security PostureTo improve your application security posture and make

the best possible use of your IT security budget, Gross-

While 2011 was dubbed the Year of the Breach, it was also a year in which the average number of serious vulnerabilities in Web sites showed a marked decline.

Half empty or half full?

http://www.cio.com

4 of 16








Resources

man suggests you first determine whether you are a target

of opportunity or a target of choice. Targets of opportu-

nity are breached when their security posture is weaker

than the average organization in their industry. Targets of

choice possess some type of unique and valuable infor-

mation, or perhaps a reputation or brand that is particu-

larly attractive to a motivated attacker.

“On the Web, if you’re doing business of any kind, you’re

going to be a target of opportunity,” Grossman says. “Ev-

erybody has something worth stealing to a bad guy these

days. Other companies are a target of choice because

they have something the bad guys want: your credit card

numbers or IP or customer lists. This aligns with how se-

cure you need to be. No one needs perfect security.”

If you determine you’re a target of opportunity, Gross-

man says, you need to make sure that you are a little bit

more secure than the average business in your category.

He notes organizations can use the data in its free White-

Hat Security Website Security Statistics Report to bench-

mark where they need to be.

Targets of choice, on the other hand, need to make

themselves as secure as they possibly can and then pre-

pare plans for how to react when they are breached so

they can minimize the damage as much as possible.

Grossman also recommends that organizations hack

themselves in an effort to understand how attackers will

approach their Web sites. Additionally, he says organiza-

tions need to understand their benchmarks: which vulner-

abilities are most prevalent in their Web sites, what’s their

time-to-fix, their remediation percentage, average window

of exposure, etc.

If you consistently see vulnerabilities of a particular

type, like cross-site scripting or SQL injection, it’s a sign

that your developers need education in that issue or your

development framework may not be up to snuff. If your

time-to-fix is particularly slow, it’s a good bet that you have

a procedural issue-your developers aren’t treating vulner-

abilities as bugs. If you consistently see vulnerabilities re-

opening, it suggests you have a problem with your ‘hot-fix’

process-high-severity vulnerabilities get fixed quickly but

the change is back-ported to development and a future

software release overwrites the patch.

“Understand your software development cycle,” Gross-

man says. “Understand where you’re good, where you’re

bad and make your adjustments accordingly.” •

http://www.cio.com

5 of 16








Resources

When it comes to security, a large number of organizations

have a glaring hole in their defenses: their applications.

A recent study of more than 800 IT security and devel-

opment professionals reports that most organizations don’t

prioritize application security as a discipline, despite the

fact that SQL injection attacks are the highest root cause

of data breaches. The second-highest root cause is exploit-

ed vulnerable code in Web 2.0/social media applications.

Sixty-eight percent of developers’ organizations and 47

percent of security practitioners’ organizations suffered one

or more data breaches in the past 24 months due to hacked

or compromised applications. A further 19 percent of secu-

rity practitioners and 16 percent of developers were uncer-

tain if their organization had suffered a data breach due to

a compromised or hacked application. Additionally, only 12

percent of security practitioners and 11 percent of develop-

ers say all their organizations’ applications meet regulations

for privacy, data protection and information security.

Despite the data breaches resulting from hacked or

compromised applications and the lack of compliance

with regulations, 38 percent of security practitioners and

39 percent of developers say less than 10 percent of the

IT security budget is dedicated to application security.

“We set out to measure the tolerance to risk across

the established phases of application security, and de-

fine what works and what hasn’t worked, how industries

are organizing themselves and what gaps exist,” says

Dr. Larry Ponemon, CEO of the Ponemon Institute, the

research firm that conducted the study on the behalf of

security firm Security Innovation. “We accomplished that,

but what we also found was a drastic divide between the

IT security and development organizations that is caused

by a major skills shortage and a fundamental misunder-

standing of how an application security process should

be developed. This lack of alignment seems to hurt their

business based on not prioritizing secure software, but

Is Application Security the Glaring Hole in Your Defense?

Organizations spend one-tenth as much on application security as they do on network security. Experts say educating developers in writing secure code is the answer.

By Thor Olavsrud • CIO

Market Research

http://www.cio.com

6 of 16








Resources

also not understanding what to do about it.”

The study found that security practitioners and develop-

ers were far apart in their perception of the issue. While

one might expect that security practitioners held the more

cynical views with regard to application security, in fact

the opposite was true. Dr. Ponemon says 71 percent of

developers say application security was not adequately

emphasized during the application development lifecycle,

compared with 49 percent of security practitioners who felt

the same way. Additionally, 46 percent of developers say

their organization had no process for ensuring security is

built into new applications, while only 21 percent of secu-

rity practitioners believed that to be the case.

Developers and security practitioners are also divided

on the issue of remediating vulnerable code. Nearly half

(47 percent) of developers say their organizations have no

formal mandate to remediate vulnerable code, while 29

percent of security practitioners say the same.

The survey also found that nearly half of developers say

there is no collaboration between their development organi-

zation and the security organization when it comes to appli-

cation security. That’s a stark contrast from the 19 percent

of security practitioners that say there is no collaboration.

Lack of Collaboration in Application Security“We basically found that developers were much more likely

to think there was a lack of collaboration,” Dr. Ponemon

says. “The security folks, on the whole, thought the collabo-

ration was OK. I think that one of the biggest problems is

that the security folks think they’re getting the word out on

collaborating or helping, but they’re not doing so effectively.”

In other words, Dr. Ponemon says, the security organi-

zation writes its security policy and gives it to developers,

but the developers, by and large, don’t understand how

to implement that policy. The security organizations think

they’ve done their job, but they haven’t managed to make

their policy contextual for developers.

“We find that process has no bearing whatsoever on

the ability of an organization to write secure code,” Dr.

Ponemon says. “It doesn’t take any longer to write a line of

secure code than it does to write a line of insecure code.

You just have to know which one to write.”

But knowing which line of code to write seems to be a

large part of the problem. The study found that only 22

percent of security practitioners and 11 percent of devel-

opers say their organization has a fully deployed applica-

tion security training program. Fully 36 percent of security

practitioners and 37 percent of developers say their

organization had no application security training program

and no plans to deploy one.•

71 percent of developers say application security was not adequately emphasized during the application development lifecycle; 46 percent say their organization had no process for ensuring security was built into new applications; nearly half say there is no collaboration between their development organization and the security organization when it comes to application security.

App security : a hot potato

http://www.cio.com

7 of 16








Resources


Third-party apps continue to be juicy targets for byte ban-

dits, primarily because the programs are rife with vulnera-

bilities, according to a report by Copenhagen-based Secu-

nia, a maker of vulnerability solutions. The main threat

to end-point security for corporations and individuals is

non-Microsoft applications.

In fact, the share of vulnerabilities attributed to non-Micro-

soft programs has jumped in the last five years, from 57% in

2007 to 86% in 2012, Secunia said. That contrasts sharply

with Microsoft’s share of the vulnerability problem -- 5.5%

in its operating systems and 8.5% in its software programs.

While Microsoft used to be a popular target for Internet

riff-raff, that’s no longer the case. “We’ve seen an increase

over the past 10 years in the focus of cybercriminals on

third-party applications,” William Melby, a senior account

executive with Secunia, said in an interview.

There’s at least two reasons for that, according to Wes

Miller, a research analyst with Directions on Microsoft in Kirk-

land, Wash. “They’re pervasive and they’re not as diligent

about how they design and patch their software,” he said.

“Ironically, Windows was the target for the longest time

because it was so ubiquitous and while it’s still ubiquitous,

I think the bad guys are looking for lower-hanging fruit now

like Reader and Flash and Java and iTunes,” he said. “All

those things that are pseudo cross-platform -- at least for

Mac and Windows -- become a tempting threat vector.”

Microsoft is benefiting from investments it made in writ-

ing more secure code over the last decade, according to

Stefan Frei, a research director at NSS Labs in Austin, Texas.

“Microsoft vulnerabilities dropped drastically from 2011 to

2012,” he said. “That’s made successful exploitation of Mi-

crosoft’s programs much, much harder.”

While attention was focused on bolstering the security

of Microsoft’s products, little pressure has been exerted on

third-party vendors to clean up their acts, he said. “When

cybercriminals suddenly shifted their interest to third-party

programs, those software makers were caught with their

pants down.” Not only has Microsoft improved the quality of

its software code, all of its products can be updated through

a single process, Melby explained.

“Third-party updates are more complicated,” he said. “You

might have to reach out to 30 or 40 vendors to get updates.”

Secunia researchers discovered more than 2,500 pro-

By John P. Mello Jr. • CSO

Market Research

86% of all vulnerabilities in 2012 pinned to non-Microsoft apps

http://www.cio.com

8 of 16








Resources

grams with more than 9,700 vulnerabilities in 2012, an

average of four per product. And while software makers ap-

pear to have been keeping pace with the vulnerabilities as

they’re found -- 84% of the vulnerabilities had fixes for them

on the day they were revealed -- the patches aren’t being

applied in a timely way.

Traditionally, the focus of IT departments has been to

keep Microsoft’s software up to date and let third-party

patches slide, Melby explained. “It’s not good enough to

just to patch Microsoft applications anymore -- not with the

number of vulnerable third party applications running on

any given system,” he said.•

“When cybercriminals suddenly shifted their interest to third-party programs, those software makers were caught with their pants down.”

— Stefan Frei, research director, NSS Labs

Pants-on-the-ground apps

http://www.cio.com

9 of 16








Resources

3 Questions: Etsy, Ecommerce and Application Security

‘Add to cart’. ‘Click to buy’. —What could be simpler?

Well, web commerce may be simple indeed, but whether

it’s secure is another question.

CSO asked Dinis Cruz for some quick insights into the

state of application and ecommerce security online. Cruz

is leader of the Open Web Application Security Project

(OWASP) O2 platform project and principal security en-

gineer at Security Innovation, which provides curriculum,

training and services around application security.

CSO: What are the big issues with application security?

Cruz: One of the biggest challenges we have from a

security point of view is that most development is

broken from a process point of view. A lot of companies

struggle just to have a development life cycle, let alone

injecting security into it. It’s code security really. Mobile

apps have the same issues. They live in a bit more of

a controlled environment.

CSO: You’ve blogged about Etsy, the social e-commerce

company, and what you (as an outside observer) think it

gets right with its application security. What do you like

about Etsy’s app security?

Cruz: First, I am not involved with them at all.

If you look at their blog, at their presentations, they

are introducing a lot of visibility into what’s happening

with the application. They have a system that’s so slick

and mature that they can blog about it. That speaks

volumes about what happens behind the scenes. [Edi-

tor’s note: Etsy declined to speak to CSO about their

security practices.] They show how you add value by

giving (developers) visibility metrics—how it works, how

it fits together, and the other changes that happen when

you make a change. I like their focus on ‘If you have to

fix security, you have to fix development.’

They really have a very good view of how security can

add value to development. They make it so developers don’t

view security like a tax, a pain point you have to go through.

If you can make security add value, then developers want to

engage with it.

Q&A

By Michael Fitzgerald • CSO

Dinis Cruz on what we do, and don’t, know about web security practices

http://www.cio.com

10 of 16








Resources

CSO: Are you concerned about the state of app security?

Is it improving?

Cruz: It’s a disaster with a capital D. The good news is we

don’t have more attackers with very strong business mod-

els. And, the industry is finally starting to pay attention, and

doing a much better job of how to develop applications,

instead of waiting to get attacked spectacularly.

Etsy stands out. They are not the norm.

What’s interesting is, [what they’re doing] should be

normal. If you go to any other industry—well, look at the

horsemeat in the food chain story that’s happening now.

They’re now talking about evaluating [products labeled

as] beef and making sure they know what’s in there. They

should do that for software. We build all these applications

and frameworks, and very few people understand them. We

buy all these products without pragmatic information about

how secure they are.

Etsy’s probably best-in-class, but the information we

have is very fuzzy. We have information from a blog. It’s

non-verifiable, not independently auditable. We’re relying

on them to do the right thing and they seem to be, but we

don’t know. And they’re one of the best.

If that were food you were buying, you wouldn’t

accept that.•

“The state of app security is a disaster with a capital D.”— Dinis Cruz, Open Web Application Security Project lead,

principal security engineer, Security Innovation

Blunt with a captal ‘B’

http://www.cio.com

11 of 16








Resources

Survey Raises Specter of Massive Enterprise Software Insecurity

You’re studiously virus checking your desktop systems,

and all your server applications are running on platforms

that are regularly updated. But what about the applica-

tions themselves -- are they secure?

Sonatype recently released results of the annual Open

Source Software Development Survey, which looks at the

extent to which developers use open source components,

with a particular focus on how they balance the compet-

ing needs of speed and security. Sonatype surveyed 3,500

people from more than 50 countries -- more than 85 per-

cent of them developers -- to understand their approaches

to assembling software. The results show the massive ex-

tent to which developers now rely on components: At least

80 percent of a typical Java application is now assembled

from open source components and frameworks.

This has been the case for many years, but the full matu-

ration of the concept of component assembly rather than

writing code from scratch is well illustrated -- albeit with a

focus mainly on Java components. The popularity of tools

like Node Package Manager (npm), CPAN, and more re-

cently PHP Composer suggests Sonatype’s findings prob-

ably reflect a general trend independent of the language

used. Ask any employable developer and they will tell you:

Components are the way things get built.

However, this raises new issues. Sonatype has deter-

mined that developers are not keeping up to date with

security issues. The survey reports that 71 percent of the

applications being built using components from its service

use at least one component version with known security

issues and for which updated versions exist with those is-

sues addressed. In 2012, 46 million insecure versions of

components were downloaded. Security used to be a mat-

ter of keeping your off-the-shelf or LAMP-stack software up

to date and fully patched, but that’s not a safe assumption

any more.

I asked Sonatype CEO Wayne Jackson if there was any

evidence of an increase in the number of critical security

issues at CERT -- known as CVEs -- that arise from com-

ponent exploits rather than exploits on finished software.

By InfoWorld Tech Watch

Market Research

Annual Sonatype survey suggests enterprise app developers are leaving huge security holes with use of open source components

http://www.cio.com

12 of 16








Resources

He investigated and found that there were. While in 2006

there were just eight CVEs that identified a component as

the source of the risk, by 2012 that number had risen to

50. Today, if you want to keep your company secure it’s not

enough to just keep your platforms up to date. You also

need a policy that keeps your applications secure.

It’s also possible this problem is more distinct with Maven

than with other component repositories, since Maven fixes

the version number in the POM rather than offering version

ranges. Certainly JavaScript programmers using npm and

PHP programmers using PHP Composer are able to specify

that use of subsequent minor versions that don’t break API

compatibility is acceptable, and update their software with

a simple command. But this isn’t just an open source is-

sue or even just a Java issue; it’s probable that proprietary

components purchased from closed-source suppliers are

affected just as much.

Naturally Sonatype has a product to help with the prob-

lem, but the root cause is that most of us simply haven’t

realized how far developer choice of components has come

to dominate our systems. A black hat hacker can use an

exploit on a component as a gateway to systems, and ap-

plications in the enterprise that use that component may

never get updated to close the exposure and kill the exploit.

The survey found that only 38 percent of the organizations

surveyed have the controls needed to maintain inventories

of the components in use by their applications and ensure

security updates happen.

Cyber security is on the national political agenda, but do

we really understand what it takes to be secure? Now that

enterprise development has become component based,

rather than using custom code running on off-the-shelf plat-

forms, it’s time for enterprise development to wake up and

smell the black hats. They’re targeting your components,

not just your servers. •

60

45

30

15

0

2002 2004 2006 2008 2010 20122003 2005 2007 2009 2011

Component-originated CVEs per year 2002-2012

http://www.cio.com

13 of 16








Resources

Two Steps to Radically Better Security

Here’s a shocking fact I’ve learned from 25-plus years of

security consulting: Most security projects fail to improve

the safety of the organizations launching them. Security will

be compromised as frequently after the project as before.

To put it bluntly, most computer security projects are a

waste of time and money.

One reason for this dysfunction is that organizations

launch way too many projects with woefully unrealistic

expectations about their impact and the level of effort re-

quired to do them right. The fact is if all companies did

a better job at just two defenses, their companies would

be far better protected than if they were to complete the

dozen-odd projects they’re attempting to pull off.

In many cases, the two defenses I recommend are in-

expensive or even free. They don’t require multi-million-

dollar projects dragged out for more than a year. They

don’t demand cutting-edge solutions. They simply require

that organizations do a better job at two things they’ve

been told to do for decades. And guess what? They work.

Stop users from executing malicious programsMost computers are compromised because users launch

malicious programs. It’s that simple. That’s why applica-

tion control is the single best thing you can do to im-

prove computer security in your company.

The classic example is the fake virus alert, which

prompts the user to install antivirus software that’s actu-

ally malware. But of course this ploy extends to other

“apps” purporting some benefit, from games to Windows

utilities that are actually malware or spyware. The classic

email attachment ruse still finds suckers who blithely

double-click on malware pretending to be everything

from an invoice to a video of the Zumba lady.

Serious, mandatory training for end-users helps a lot,

but you can never prevent all users from launching this

stuff all the time. The most secure way to stop users from

executing malicious programs is to deploy an application

control or whitelisting program. I’ve talked a lot about the

benefits of application control programs and even did a

comparative review a few years ago. I’ve worked with most

of them, and they’ve all improved over time.

Yet in many cases senior management will not back

strict application control. I understand that. I know the

challenges -- particularly with the abundance of new

downloadable apps, particularly mobile ones, which

carry real user productivity benefits. But understand that

not implementing strict application control means you

will not be able to reduce malicious risk in your environ-

By Roger A. Grimes • InfoWorld

Expert Advice

Stop wasting your money and do computer security right with two common-sense practices

http://www.cio.com

14 of 16








Resources

ment beyond a certain point.

A less stringent approach is to enable users to down-

load and install programs only from trusted application

stores that ensure the security of their applications.

Programs from trusted stores are sometimes found to

be vulnerable to hacking or to have privacy issues. By

and large, those are the exceptions; when caught, they

are immediately removed and eradicated. Plus, most

apps downloaded from application stores are automati-

cally updated when security issues are discovered and

patched. That’s great for everyone.

A corollary to controlling what can be installed is

restricting who can install it. To prevent the easy in-

stallation of programs that have not been reviewed or

approved, don’t let anyone run with elevated privileges

or permissions most of the time. You can do this using

manual processes, privilege identity management (PIM)

products, Microsoft’s User Account Control (UAC), Unix/

Linux’s sudoers functionality, or any other method or

product that accomplishes the same goal.

The dirty little secret is that removing elevated privi-

leges still won’t seal off your defenses. Lots of mali-

cious programs can run or be installed without elevated

security privileges. Malicious programs can accomplish

nearly every wanted outcome without the user logged in

as Administrator or root. They can steal passwords and

identities, as well as redirect browsers to places the user

didn’t intend to go. Nonetheless, you can reduce risk

somewhat if users have fewer privileged accounts while

reading email or surfing the Web.

Lastly, don’t neglect end-user education. After ap-

plication control, it’s the best way to prevent unwanted

programs from being installed -- when it’s done right.

Most end-user education misses obvious points and

refers to outdated threats. Get the backing of manage-

ment, conduct mandatory sessions on a regular basis,

and ensure your instruction is current and specific to

your organization. When users know what their own

antimalware software looks like, they’re much less likely

to fall for the fake stuff.

Patch everything fasterThe other best defense is to patch all software in a

timely way. This has been a mantra for more than two

decades now, which is why it’s so surprising that so

few companies patch as quickly as they should. Yes,

they’re doing better at patching operating systems, but

they do a horrible job at patching the most popular

Internet add-on products, like Oracle Java or Adobe

Acrobat, both of which have been ranked as the most

exploited products for years.

A corollary to controlling what can be installed is restricting who can install it. To prevent the easy installation of programs that have not been reviewed or approved, don’t let anyone run with elevated privileges or permissions most of the time.

Under your thumb

http://www.cio.com

15 of 16








Resources

Websense recently collected data that showed 74

percent of active computers were still susceptible to Java

exploits from 2012. No less than 94 percent were sus-

ceptible to the latest patched Java exploit. My personal

experience completely backs up these points. I rarely

find a patched Java installation. I find unpatched Java on

workstations and servers that have no need for Java. This

same unpatched Java allows your company to be silently

infected over and over.

Your company cannot plausibly claim it cares about the

security of its data if it fails to patch the most exploited

program of the day. I understand the frustrations and chal-

lenges of better patching. I understand that we computer

security people would patch things better and faster if it

was left up to us. But simply not doing this one thing better

means you’ll never be free of easy computer compromise.

The hackers will always enter your company’s boundaries

and steal data and passwords at will. You cannot stop them.

Of course it takes more than two computer defenses to

make a complete defense. You still face password-cracking

hackers, SQL injections, XSS browser attacks, misconfigu-

ration exploits, zero-day vulnerabilities, and so on. But all

of those attack types, in aggregate, don’t hold a candle to

the main two problems. Solve them and you’ll be a hero.•

http://www.cio.com

16 of 16








Resources

Application Security ResourcesTips and tools

The focus of this study is to quantify the economic

impact of cyber attacks and observe cost trends

over time. The loss or misuse of information is the

most significant consequence of a cyber attack,

and it comes at significant financial cost.

Download >>

The rapid transformation of mobile computing

has seen security concerns outpaced by the

ease of use, flexibility, and productivity of mobile

devices. Here we take a look at three of the

top mobile application security threats facing

businesses today and recommendations on how

to mitigate the risk.

Download >>

Forward-thinking enterprises realize they need to

focus on a sustainable approach to security and

risk management—one that is designed to ad-

dress the new wave of vulnerabilities that prevail

due to increasing trends in IT consumerization,

mobility, social media, cloud computing, and

cyber crime.

Download >>

The multitude of devices, users, and generated

traffic combine to create a proliferation of

data that is being created with incredible

volume, velocity, and variety. As a result,

organizations need a way to protect, utilize,

and gain real-time insight from “big data.”

So, how do you get started?

Download >>

2012 Cost of Cyber Crime Study: United States

Know the Big ThreeRethinking Your Enterprise Security: Critical Priorities to Consider

Big Security for Big Data

In the HP 2012 Cyber Risk Report,

HP Enterprise Security provides a broad

view of the vulnerability landscape, ranging

from industry-wide data down to a focused

look at different technologies, including web

and mobile.

Download >>

2012 HP Cyber Risk Report

http://www.cio.com

http://resources.cio.com/show/200016696/00700260088108CIOMSL78H9SIL/

http://resources.cio.com/show/200016697/00700260088109CIOAVPBF4I29D/

http://resources.cio.com/show/200016698/00700260088110CIO3WWMG1XPUU/

http://resources.cio.com/show/200016699/00700260088111CIOG8GVTNIKEH/

http://resources.cio.com/show/200016759/00700260088575CIO0053G8VDD0/

application security

Documents

network security

application security

security budget

security resourceson

security measures

security guys

security professionals

application security