Thursday, August 9, 2012

Solving the Problem of Software Security

For today’s businesses the use of software application is a must, and so is improving your software security. There are a number of methods to be considered for application security enhancement, but it is the right mix of approaches that may become your key to business processes reliability and competitiveness. 

A recent Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission critical applications, in financial services organisations it is closer to 800 (figure 1).
The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, exposed to the internet (figure 2).

Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware, secondly auditors expect application security to be demonstrable and third, customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees. Fixing security flaws up-front wherever possible also makes sense because of the cost involved at doing so after software if deployed. There are both products and services opportunity for resellers to help their customers achieve these goals.

There are a number of approaches that can be taken to improve application security. For in-house developed software, better practice can be ensured through training of developers, many businesses will need assistance to achieve this. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV); resellers that sell application software could do this for their customers as part of their value add. However, these measures can never ensure that software is 100% secure. For this reason there are three other approaches that should be considered:

1. Application scanning: scanning software eliminates flaws in the first place. There are two approaches, the static scanning of code or binaries before deployment and the dynamic scanning of binaries during testing or after deployment. Static scanning is pervasive, looking at every line of code. Scans can be conducted as regularly as is deemed necessary. Whilst on-premise scanning tools have been relied on in the past, the use of on-demand scanning services has become increasingly popular as the providers of such services have visibility in to the tens of thousands of applications scanned on behalf of thousands of customers. Such services are often charged for on a per-application basis, so unlimited scans can be carried out, even daily.

By Bob Tarzey, Quocirca \\ August 2012
Read more:


No comments: