Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Getting Application Security Back on the Rails
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Getting Application Security Back on the Rails

4 years ago Lamar Bailey
Getting Application Security Back on the Rails

In its Interagency Report 7695, the National Institute of Standards and Technology (NIST) defined an application as “a system for collecting, saving, processing, and presenting data by means of a computer.” This broad term covers enterprise applications, consumer applications, and even phone apps. Security is important in all these types of applications, but the focus is not always the same. Let’s explore how below.

How Security Differs Across These App Types

Enterprise applications are applications used by businesses and corporations, and they are often required to meet compliance standards like PCI DSS and HIPAA. As such, there can be legal and financial issues if their software is knowingly left unsecure. Take an organization’s Point-of-Sale (POS) systems as an example. Some organizations might link these systems to other enterprise applications that lack proper PCI protection. If they do, they could incur penalties such as monetary fines and damage to their reputation.

For another example of an enterprise application, consider an organization that’s responsible for protecting patients’ protected health information (PHI). It’s their obligation under HIPAA to store that information securely and to prevent unauthorized individuals from obtaining access to that data. Transmitting PHI via a public fax line or via unencrypted emails does not uphold their compliance obligations and thereby puts them at risk of incurring a HIPAA violation fine.

These security requirements change with consumer apps and phone apps. Programs in the former category do not generally get the same security scrutiny as enterprise applications, so they come with fewer compliance obligations. And phone apps have the lowest security of all.

Why Application Security Is Lacking

Not all organizations are too concerned with their applications’ security these days. Provided below are a few reasons why:

  • Time to market is king: Amid the ongoing IoT craze, every device imaginable is being pushed to have remote access over the internet. The apps that help to administer these devices are being created quickly, and oftentimes, security is not as important as time to market. This is not limited to IoT apps. It even happens with many shopping, business, and food delivery apps, too.
  • Lack of security experts: People with security expertise and background are in high demand these days. In a 2020 survey, Tripwire learned how 83% of security experts felt more overworked going into 2020 than they did a year earlier. (That was before the pandemic; imagine how they must have felt a year later!) About the same proportion (85%) of respondents said it had become more difficult over the past few years to hire skilled security professionals. This skills gap makes it more difficult for organizations to hire experts who can help lead the charge in securing their applications.
  • Misunderstanding of roles: Many new applications rely on cloud services, and there is often a gap in the understanding of relevant security roles and responsibilities. It is often assumed that the cloud vendor is responsible for taking care of all the security needs. (That is not the case. Check the Shared Responsibility Model.) The same errant thinking holds true for phone apps where it is just assumed that the phone OS protects everything.

Application Security Best Practices

It doesn’t have to be this way. Organizations can harden the security of their applications by following some key best practices. Before the release of any application, for instance, there should be a detailed security assessment that includes checking for vulnerabilities in both the company code as well as any third-party code and packages. Not every known vulnerability is a high priority, of course, so organizations need to consider conducting a risk prioritization of their security flaws. They can then create a patching schedule that addresses known vulnerabilities based upon their priority. No product, application, or app should ever be released with high priority vulnerabilities that can be exploited, whereas low priority vulnerabilities that do not leak data or cannot be used to exploit a device can be deferred to the next release at times. 

Vulnerabilities are not always the biggest concern for organizations, either. Secure configurations are much more of a widespread issue—especially when it comes to cloud environments. In a survey of attendees at Black Hat USA 2019, 84% of respondents told Tripwire that it was difficult for their organization to maintain secure configurations in the cloud. Nearly a fifth (17%) of those survey participants said it was “very difficult.” Those findings help to explain why three-quarters of security professionals in the study said it was easy to accidentally expose data through the cloud.

How Tripwire Can Help

Not every organization can manage the vulnerabilities and secure configurations of their applications on their own. In response, organizations can look for a vendor that has a proven track record of helping its customers manage these security functions across their environments.

Learn how Tripwire can help organizations implement these controls with their applications.

The post ” Getting Application Security Back on the Rails” appeared first on TripWire

Source:TripWire – Lamar Bailey

Tags: Cloud, Exploit, Goverment, High Severity, Low Severity, TripWire

Continue Reading

Previous ‘Glowworm’ Attack Turns Power Light Flickers into Audio
Next Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers

More Stories

  • Data Breach

Orchid Security Introduces Continuous Identity Observability for Enterprise Applications

2 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

The First 90 Seconds: How Early Decisions Shape Incident Response Investigations

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

7 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog

8 hours ago [email protected] (The Hacker News)
  • Data Breach

[Webinar] The Smarter SOC Blueprint: Learn What to Build, Buy, and Automate

24 hours ago [email protected] (The Hacker News)

Recent Posts

  • Orchid Security Introduces Continuous Identity Observability for Enterprise Applications
  • The First 90 Seconds: How Early Decisions Shape Incident Response Investigations
  • Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers
  • Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions
  • CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT