Organizations across the globe are constantly searching for more efficient ways to connect with customers, business partners, suppliers and staff. The ability to adapt quickly to changing market conditions with new and updated web applications is critical to success
Business moves fast. In a matter of milliseconds, transactions are made, trades are processed, and deals are done. If an organization’s IT security is not up to the task of protecting the applications that enable today’s e-commerce stream, debilitating data breaches can happen in the blink of an eye. But technology advancements outpace infrastructure upgrades. Organizations are in constant motion trying to keep up. They want their customers to be able to take advantage of every opportunity available to interact meaningfully with their branded products and services. Agility equals success.
To understand what strategies and solutions organizations employ to secure web applications, a research was conducted seeking opinions of senior executives and IT professionals responsible for network security at companies with a global reach.
Key findings:
- Many organizations implemented multiple solutions to protect their applications, hoping that any vulnerabilities in their networks would be covered
- 70% of chief information security officers (CISOs) did not have the final say over security choices
- To cover all vulnerabilities, many organizations take on application security by deploying multiple solutions in a far-from-optimized manner.
- Wide range of application development tools and methodologies for running microservices has led to inconsistent implementations, deployments and business processes within organizations and loose adherence to best practices
- Applications change frequently and are too loosely managed to appropriately secure
One Goal, Many Approaches to Security
Keeping applications safe and secure seems to be the one major goal for organisations today. As organizations pursue digital transformation goals, a common strategy is to purchase many solutions to protect applications without a clear overarching plan. By covering the network in broad strokes with multiple solutions, the hope is that any vulnerabilities get sealed.
The effectiveness of this approach is questionable: 90% reported that they’ve had a data security breach in the past 12 months
Only 56% of respondents were highly confident and 40% were only moderately confident that they could keep personally identifiable Information (PII); such as credit card data, medical records, transaction information and usernames/passwords safe from breaches
Top three considerations to protect Applications:
- 56% claim: Quality of protection
- 36%: Low operational cost
- 35%; Ability to fit into the environment
Security Challenges for Microservice architecture
While data protection as the top security challenge (40%) related to the architecture of microservices was still the number one priority for organisations, there’s been a slight shift in concerns for other top security issues since the past year as seen:
2018 | 2019 |
Data protection | Data protection |
Availability assurance | Visibility |
Policy enforcement | Authentication |
Applying security processes:
Organizations are performing a balancing act pushing forward as quickly as possible with digital transformation strategies while at the same time seeking ways to optimize application security.
There is no single best practice emerged as a way to guide enterprises in this effort. The process is still a journey of discovery:
- 88% Use encryption to interact with third party
- 85% Require authentication for third-party APIs
- 70% Monitor east-west traffic in the service mesh
- 61%Can maintain more than 99% availability
Due to the evolution of digital transformation, organizations are adjusting roles and responsibilities to try and cope with both the agility and security requirements that accompany these new environments. They are investing in talent to manage application security.
- More than 90% reported that their organizations have DevOps and/or development, security and operations (DevSecOps) teams
- 57% said that the ratio of DevOps personnel to development personnel in their organisation was between 1:6 and 1:10.
The threat still looms large:
Even though organisations express confidence in their capabilities to protect applications either on-premise or in hostedenvironments, attacks are still successful. Hackers seemed to lovethe challenge that new technologies introduced. They employed manytools to scan and map applications to identify vulnerabilities.
%age of attacks experienced daily:
Access violations: 21%
Session/cookie poisoning: 21%
SQL or other injections: 21%
Denial of service: 20%
Protocol attacks: 20%
Cross-site scripting (CXS/XSS): 20%
Cross-site request forgery (XSRF/CSRF): 18%
API manipulations: 17%
Whose responsibility is it anyway…
It was found through a survey that 72% of executives discussed cybersecurity at every boardroom meeting. The severity of the threat landscape, the mounting cost of attacks and the potential long-term negative impact on business operations weighed heavily on high-ranking management.
Having said that, one contributing factor was that the final responsibility for application security does not necessarily reside with the CISO. The top three influencers on software security policy are IT leadership (CIO, VP, director) and business owners; much higher than CISOs.
Though CISOs are under intense pressure from the C-suite to safeguard the customer experience, yet they have little financial decision-making authority for the security technologies that are deployed. So while they are increasingly accountable for results, there is not a corresponding uptick in authority over how applications are secured.
Conclusion:
The state of web application security is somewhat scattered as organizations deployed multiple solutions without a clear strategy to determine who was ultimately responsible to drive decision-making. In many cases, CISOs don’t have the final say about security choices. Each business unit or function pursues its own strategies and implements different solutions without a holistic approach for securing applications across the enterprise
Surprisingly, organizations do not recognize that this scattered approach still left their organizations vulnerable to attack. Confidence remained high among respondents’ ability to recognize bad bot traffic and detect threats in their networks.
As more applications get transitioned to microservice architectures, new security challenges will emerge. Now is the time for organizations to more fully understand what changes need to be made across all business functions to shore up security strategy, planning, implementation and process controls.