By Nikhil Taneja Managing Director-India, SAARC & Middle East
Organizations across the globe are constantly searching for more efficient ways to connect with customers, business partners, suppliers and staff. The ability to adapt quickly to changing market conditions with new and updated web applications is critical to success Business moves fast. In a matter of milliseconds, transactions are made,trades are processed, and deals are done. If an organization’s IT security isnot up to the task of protecting the applications that enable today’s e-commercestream, debilitating data breaches can happen in the blink of an eye.But technology advancements outpace infrastructureupgrades. Organizations are in constant motion tryingto keep up. They want their customers to be able to takeadvantage of every opportunity available to interactmeaningfully with their branded products and services.Agility equals success. To understand what strategies and solutions organizations employto secure web applications, a research was conducted seeking opinions of seniorexecutives and IT professionals responsible for network security atcompanies with a global reach. Key findings: •Many organizations implemented multiple solutions to protect their applications, hoping that any vulnerabilities in their networks would be covered •70% of chief information security officers(CISOs) did not have the final say over security choices •To cover all vulnerabilities, many organizations take on application security by deploying multiple solutions in a far-from-optimized manner. •Wide range of application development tools and methodologies for running microservices has led toinconsistent implementations, deployments and businessprocesses within organizations and loose adherenceto best practices •Applications change frequently and are too looselymanaged to appropriately secure One Goal, Many Approaches to Security Keeping applications safe and secure seems to be the one major goal for organisations today. As organizations pursue digital transformation goals, a common strategy is to purchase many solutions to protect applications without a clear overarching plan. By covering the network in broad strokes with multiple solutions, the hope is that any vulnerabilities get sealed. The effectiveness of this approach is questionable:90% reported that they’ve had a data security breach in the past 12 months Only 56% of respondents were highly confident and 40% were only moderately confident that they could keep personally identifiable Information (PII); such as credit card data, medical records, transaction information and usernames/passwords safe from breaches Top three considerations to protect Applications: 56% claim:Quality of protection 36%: Low operational cost 35%; Ability to fit into the environment
Security Challenges for Microservice architecture While data protection as the top security challenge (40%) related to the architecture of microservices was still the number one priority for organisations, there’s been a slight shift in concerns for other top security issues since the past year as seen: Applying security processes: Organizations are performing a balancing act pushingforward as quickly as possible with digital transformationstrategies while at the same time seeking ways to optimizeapplication security.
There is no singlebest practice emerged as a way to guide enterprises in thiseffort. The process is still a journey of discovery: •88% Use encryption to interact with third party •85% Require authentication for third-party APIs •70% Monitor east-west traffic in the service mesh •61%Can maintain more than 99% availability
Due to the evolution of digital transformation, organizations are adjusting roles and responsibilities to try and cope with both the agility and security requirements that accompany these new environments. They are investing in talent to manage application security. •More than 90% reported that their organizations have DevOps and/or development, security and operations (DevSecOps) teams •57% said that the ratio of DevOps personnel to development personnel in their organisation was between 1:6 and 1:10.
The threat still looms large: Even though organisations express confidence in their capabilities to protect applications either on-premise or in hostedenvironments, attacks are still successful. Hackers seemed to lovethe challenge that new technologies introduced. They employed manytools to scan and map applications to identify vulnerabilities.
%age of attacks experienced daily: Access violations: 21% Session/cookie poisoning: 21% SQL or other injections: 21% Denial of service: 20% Protocol attacks: 20% Cross-site scripting (CXS/XSS): 20% Cross-site request forgery (XSRF/CSRF): 18% API manipulations: 17%
Whoseresponsibility is it anyway… It was found through a survey that 72% of executives discussed cybersecurity at every boardroom meeting. The severity of the threat landscape, the mounting cost of attacks and the potential long-term negative impact on business operations weighed heavily on high-ranking management. Having said that, one contributing factor was that the final responsibility for application security does not necessarily reside with the CISO. The top three influencers on software security policy are IT leadership (CIO, VP, director) and business owners; much higher than CISOs. Though CISOs are under intense pressure from the C-suite to safeguard the customer experience, yetthey have little financial decision-making authority for the security technologies that are deployed. So while they are increasingly accountable for results, there is not a corresponding uptick in authority over how applications are secured. Conclusion: The state of web application security is somewhat scattered as organizations deployed multiple solutions without a clear strategy to determine who was ultimately responsible to drive decision-making. In many cases, CISOs don’t have the final say about security choices. Each business unit or function pursues its own strategies and implements different solutions without a holistic approach for securing applications across the enterprise Surprisingly, organizations do not recognize that this scattered approach still left their organizations vulnerable to attack. Confidence remained high among respondents’ ability to recognize bad bot traffic and detect threats in their networks.
As more applications get transitioned to microservice architectures, new security challenges will emerge. Now is the time for organizations to more fully understand what changes need to be made across all business functions to shore up security strategy, planning, implementation and process controls.