Software risks to the business, specifically Application Resiliency, headline a recent executive roundtable hosted by CAST and sponsored by IBM Italy, ZeroUno and the Boston Consulting Group. European IT executives from the financial services industry assembled to debate the importance of mitigating software risks to their business.
The events of last Wednesday proved that things often do come in threes. The “rule of three” reared its ugly head, as technical failures occurred at three large American organizations: the New York Stock Exchange, United Airlines, and The Wall Street Journal. United Airlines grounded all flights nationwide, wasn’t able to conduct background checks of passengers, and left flight attendants handwriting tickets (many of which were not accepted by TSA agents). Then, the NYSE suspended trading for almost four hours, the first time in a decade that trading was halted during regular business hours. The Wall Street Journal’s homepage also faced difficulties and was offline for almost an hour.
There’s a common belief in the software development space that when companies choose application outsourcing of their projects, the control they relinquish by doing so results in lower application quality and puts their projects at risk. Once again, however, CAST’s biennial CRASH Report, which reviews the structural quality of business critical applications, has disproved this theory.
Digital transformation is a project many business executive leaders have recently taken on, especially those in banking and financial services. These organizations are competing to digitally transform front-end systems that are connected to brittle legacy systems. The subsequent failure to identify the structural vulnerabilities in combined applications, produces security and reliability issues the negate the value of digital transformation.
The Consortium for IT Software Quality (CISQ), will host an IT Risk Management and Cybersecurity Summit on March 24 at the OMG Technical Meeting at the Hyatt Regency Hotel in Reston, VA. The CISQ IT Risk Management and Cybersecurity Summit will address issues impacting software quality in the Federal sector, including: Managing Risk in IT Acquisition, Targeting Security Weakness, Complying with Legislative Mandates, Using CISQ Standards to Measure Software Quality, and Agency Implementation Best Practices.
We held a webcast last week with Mark Wireman of OpenSky, who is an expert in application security and has worked in this space for 15 years. We appreciate Mark taking the time to share his experience securing applications in the enterprise and responding to the onslaught of mobile-based entry points in the application development process.
During the course of the hour, we received a number of interesting questions and comments and thought they would make great topics for a few blog posts. Stay tuned for a follow-up post from Mark, which will include answers to several questions on Appsec in agile development.
Defensive vs. Offensive
There was a question during the webinar about defensive and offensive strategy as they relate to security. Mark will elaborate on them in his post, but we wanted to say a few words about them as well.
At CAST, we see many companies taking a code quality approach to application security. That is, they look at software analysis at the code level and use that to flag potential security issues — typically after the SDLC dumps the code into production. While that might seem like a reasonable approach, we believe it’s not enough.
Virtually all thought leaders in application security believe the most advanced security measures are realized in architectural analysis of applications. Truly good security should include elements of an architecture that protects application data, and a process that guarantees security aspects of the architecture are not bypassed. We’ve only seen that deployed by a few CAST customers, and nowhere else. But we believe we’ll all get there, eventually.
Towards the end of our session, we received this comment:
It’s also only a start to mobile security…there are many other layers that need to be considered but yes it was a well spent hour
We wholeheartedly agree. Mobile apps only raise the stakes and the importance of securing sensitive data. As we heard from Mark during the webinar, and we hear from the assurance community, most attacks are trying to find their way to the data. We believe that it’s much more than the mobile app that needs to be secured — it’s a system-wide problem that involves the whole application. It’s an issue of overall architecture and how the entire system needs to be designed with security in mind. The mobile app is just one piece, but an important entry point into the legacy application and hence, part of the overall system architecture.
Stay tuned for more details and answers from Mark in part two of this post.
The perimeter surrounding enterprise applications expanded exponentially since the birth of mobile and cloud, and IT security professionals are looking in all the wrong places to try and find a fix. Traditionally, organizations secured their data using a walled off perimeter — like the walls of a medieval castle — which contained a multitude of layers to help mitigate the risk of data compromise or exposure. The advent of mobile has altered that landscape dramatically, essentially opening up the front door of the castle and allowing that data to escape into unknown territory — the mobile device.
I’ll be presenting a webinar on this subject, Managing Security Risks with the Rise of Mobile and Cloud, on Feb. 28 at 11:00am EST, but I wanted to answer some questions you might have here on the CAST blog beforehand.
What new challenges exist in mobile application development?
The new paradigm of application development moves away from focusing our efforts on building an internally protected web application. Development now focuses on using the various mobile SDKs that exist to put web apps on mobile devices.
The problem is, those SDKs are made by “mom and pop shops” and do little to address the challenges of securing a mobile device. And as a result, we’re seeing “old vulnerabilities,” that have been discovered and remediated as part of the more traditional development methodology, starting to resurface.
Is the industry doing anything about it?
From a standards perspective, the industry hasn’t outlined the proper way for organizations to engineer and develop mobile applications. There are no formal methodologies or processes around Android or iOS that the industry can grab ahold of to help bring this challenge back to a more manageable state. It’s almost like what we saw in the 90’s with the Dot-com boom, but we’re seeing it now with mobile SDKs.
Is this a new trend? When did you hear about it?
I first caught wind of this trend towards the end of last year. I found out a client’s International division was using a third-party SDK to create its mobile business applications. The problem was that the SDK just wrapped a mobile aspect around a normal web app that then fed the data back to the client through the third party’s servers. That was scary on a lot of different levels.
What can organizations do to be prepared?
There are strategies that organizations can use to help determine what the overall risk of a particular application is before it goes to market. During the webinar, I will discuss a real-world case study with an organization that instituted an assurance program, and how that helped mitigate and control the risk that applications presented to their business.
With the advent of mobile devices, the threat vector for an organization has grown to an infinite level. IT leaders cannot put their trust in the mobile devices themselves to protect against the potential compromises of their data. Ultimately, they’re losing control of how those applications interact with their devices and, more importantly, how the data is communicated back to the organization.
The time has come for IT leaders to begin instituting stringent security controls and processes around how their mobile applications are being developed and secured. The traditional “castle” defense can no longer adequately protect an organization against the new threats facing it in the mobile and cloud landscapes.
For a more in-depth look into how to protect your organization, tune into our webinar, Managing Security Risks with the Rise of Mobile and Cloud, on Feb 28 at 11:00am EST. Even if you can’t make that time, you can still register for access to the recording when it is available.