The key to security is to ensure that your most sensitive data is handled with proper controls in place. This should include working with your architects to explore the architecture of applications that handle the most critical data, starting from the data elements themselves and fanning out via impact diagrams (for example, CAST does this with the Application Intelligence Platform). Over time, your team will be able to establish secure architecture components that should handle all sensitive data.
This is a foundational approach to data security and is essential to full security coverage in addition to measuring the security hygiene of development teams and vendors.
Instead of hoping that security can be layered on top of weak applications, your development team should be able to demonstrate applications that can be made more secure. Enforcing architectural guidelines can provide a standard of legitimacy for managing vendors as well. Secure application design needs to go far beyond a check-the-box approach of just conforming to minimal regulatory standards. Most organizations don’t even go far enough in compliance to such standards.
While there are many software quality metrics that can be measured against a software application, CAST uses a Security/Quality Scorecard based on OMG and CISQ measures for Security, Reliability, Maintainability and Security Debt. Based on observations in the field, the following table suggests potential thresholds:
With the rapid evolution of standards, regulations and system complexity, there needs to be a holistic approach to application security. Coding or architectural issues which lead to security vulnerabilities can be some of the most expensive to correct late in the lifecycle. To create a culture of increased security, all parts of the development and stakeholder organizations must be engaged from requirements through operational maintenance.
Application portfolios frequently evolve with less attention to inter-application or inter-module discipline where the most critical security flaws occur. The key is to refine metrics that matter to deliver a balanced scorecard reflecting your commitment to secure, low risk applications.
Many of the best run companies use a similar set of analytics to reduce software risk, while at the same time reducing costs. The payback is almost immediate. According to the IBM’s Data Breach survey, the average cost of a data breach in 2016 was $4 million. A recent IDC study pegs the average cost of application failure at between $500,000 and $1 million per hour. Not knowing where the weaknesses are is not a valid excuse or successful defense.
CAST has put together the tools you need to manage this threat successfully. Together with CISQ, MITRE and leading industry groups, we can help you embed security into your applications. Put us to the test and let us show you how this investment can keep you off the pages of the Wall Street Journal.
This is the season for introspection, new resolutions, and finding ways to improve your status quo. Get started with a structural health assessment of your mission-critical apps within 48 hours.