Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Application security

Cloud usage is extending the perimeter of most organisations

CloudLock have produced an interesting report on how the use of the cloud and apps has extending the perimeter of most organisations.

CloudLock Executive Summary

The adoption of public cloud applications continues to accelerate for both organizations and individuals at an exponential rate, evidenced across the massive growth in the volume of accounts, files, collaboration, and connected third-party cloud applications.

The rapid surge of accounts, files, and applications presents increased risk in the form of an extended data perimeter. The adoption of cloud applications has significantly increased the threat surface for cyber attacks. Faced with this massive growth and the elevated risk, security professionals are looking to enable their organizations to embrace and leverage the benefits of cloud technologies while remaining secure and compliant.

Sensitive data is moving to the cloud, beyond the protection of your perimeter controls. As this occurs ,the amount of data, and, most importantly, the amount of sensitive or ‘toxic’ data the enterprise stores in these Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (laaS) platforms is increasing by the day – and regardless of its locations, S&R pros still need to protect it effectively.” Forrester Research (2015, March) Market Overview: Cloud Data Protection Solutions

Cloudlock key findingsOther findings

  • 100,000 files per organization that represent risk. Number of files per organization stored in public cloud applications that violate corporate data security policy, amplifying the danger of exposing sensitive information.
  • 4,000 files per organization contain passwords. Number of files per organization stored in public cloud applications containing credentials to corporate systems, inviting cybercriminals to hijack corporate SaaS environments.
  • 1 in 4 employees violating security policies. Number of employees that violate corporate data security policy in public cloud applications, opening organizations to risk of data breach and compliance concerns.
  • 45,000 third-party apps installs conducted by privileged users. Third-party cloud applications with access to privileged users accounts significantly elevates organizational risk.
  • 12% of an organizations files are sensitive/Violate a policy
  • 65% of Security Teams Care about what type of sensitive data is exposes
  • 35% care about how/where it is exposed
  • 70% of corporate cloud based external collaboration occurs with non-corporate entities
  • 77,000 Third Party cloud Apps that touch corporate systems
  • 4x increase in the number of third-party applications enabled per organization, from 130 to 475. The total number of unique third-party cloud apps ballooned to 77,000, amounting to 2.5 million installs
  • 2% growth in third-party SaaS application installations performed by privileged users (administrators and super admins)

Information that organizations worry about most includes:

  • 59% Intellectual Property and Confidential Information
  • 19% PCI DSS data
  • 13% PII data e.g. social security numbers
  • 5% Objectionable content for CIPA compliance- e.g. curse words, harassment
  • 4% PHI/healthcare related data such as medical conditions, prescription drug terminology, patient identification numbers or Compliance

CloudLock Methodology

Cloudlock bases findings on anonymized usage data over 2014 and 2015

  • 77,500+ Apps
  • 750Million Files
  • 6 Million Users

The full report can be found here.

2012 Application Security Gap Study: A Survey of IT Security & Developers

In this Security Innovation sponsored Ponemon study 567 IT security practitioners were asked about the following topics:

  • Application security processes considered most effective
  • Adoption and use of technologies that are affecting the state of application security
  • Gaps between people, process and technology and the affect they have on the enterprise
  • Different perceptions security and development practitioners have about application maturity, readiness and accountability
  • Threats to the application layer, including emerging platforms
  • Application-layer links to data breaches

Key findings from the research include:

  • 12% of security personnel responded that all of their organization’s applications meet regulations for privacy, data protection and information security. And 15% of developers feel the same way
  • 44% of the developers surveyed stated there is absolutely no collaboration between their development organization and the security organization when it comes to application security
  • 71% of developers feel security is not adequately addressed during the software development life cycle. And 51% of the security respondents feel the same way
  • 51% of developers and the same percentage of security personnel say their organizations do not have a training program on application security
  • 60% of security respondents and 65% of developers stated that they do not test mobile applications in the production, development or Q/A processes

Based on the research findings, Ponemon organised the key findings according to the following five themes:

  1. Application security is often not a priority
  2. There is uncertainty about how to fix vulnerable code in critical applications
  3. A lack of knowledge about application security is resulting in a high rate of data breaches
  4. Developers and security practitioners have different perceptions about accountability and collaboration to improve application security
  5. Mobile technology and social media platforms are putting organizations at risk

1. Application security is not a priority

The one area both security and developers agree upon is the lack of resources for application security.

  • 63% state that application security consumes 20% or less of their overall IT security budget
  • 64% of security practitioners state they either have no process, such as systems development life cycle (SDLC) at all, or an inefficient ad-hoc process for building security into their applications
  • 79% of developers say they either have no process or an inefficient, ad-hoc process for building security into their applications
  • 71% of developers believe security is not adequately addressed during the software development life cycle, 51% of the security respondents agree. In many cases, security is built in during the post-launch phase of the software development cycle and bugs are fixed during the launch phase.
  • Typically organizations are waiting for the launch phase or post-launch phase to address security issues in application development with 57% of security practitioners and 76% of developers say this is the case in their organizations
  • 36% of security practitioners and 16% of developers say it is addressed early in the application development life-cycle
  • 57% of security practitioners and 76% of developers believe the launch phase and the post-launch phase is when patching and fixing bugs becomes the most costly and time consuming

2. There is uncertainty about how to fix vulnerable code in critical applications

  • 47% of developers and 29% of security practitioners say their organization has no mandate to remediate vulnerable code
  • 9% of developers say it is driven through the security organization, where the development of organization remediates according to best practices. However, more of the security practitioners believe this to be the case.
  • 51% of both developers and security practitioners say their organizations do not have training in application security
  • 22% of security practitioners say their organization have a fully deployed program compared to 11% of developers
  • When asked what the development team uses to ensure they are successful in remediating potentially vulnerable code or fixing bugs 46% of security respondents and 51% say they predominantly use homegrown solutions to remediate vulnerable code. Less than half of both security and developers cite the successful use of other methods

3. A lack of knowledge about application security is resulting in a high rate of data breaches

  • comprised or hacked applications have caused at least one data breach in 68% of the developers’ organizations and 47% of the security practitioners’ organizations over the past 24 months
  • 19% of security practitioners and 16% of developers are not sure if they had a data breach as a result of an application being compromised or hacked

A lack of compliance with regulations could also contribute to the high occurrence of data breaches

  • 12% of security personnel say that all their organization’s applications meet regulations for privacy, data protection and information security and only 15% of developers believe their organizations are in compliance

4. Developers and security practitioners have different perceptions about accountability and collaboration to improve application security

A lack of collaboration between developers and security practitioners in order to improve application security practices is putting data at risk

  • 44% of developers say there is absolutely no collaboration between their function and the security function regarding application security
  • 12% of security practitioners say there is significant collaboration and 69% say there is at least some collaboration exists with the developers.
  • 28% believe the CISO should be primarily responsible for ensuring security in the application development life cycle in their organization
  • 42% of development respondents from the sample stated that no one person within their organization has primary responsibility for ensuring security in the application development life cycle

5. Mobile technology and Web 2.0 attacks put organizations at risk

  • 39% of developers and 30% of security practitioners believe the most serious threat to application security in the next 12 to 24 months. The next most significant threat is attacker infiltration through Web 2.0 applications.
  • 51% of developers and 40% of security respondents say insecure mobile applications will disrupt business operations at their organizations
  • 42% of developers and 33% of security practitioners worry about insecure applications

The study has produced several startling facts especially after so many Data Breaches in 2011 and the consistent message under PCI DSS requirement 6 as well as the Data Protection laws have been making developers and companies looking at the issue.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: