Enterprises shifting applications to the cloud save costs, become resilient and can scale easily. But cloud-based applications also come with big security risks.
Over the last two years, almost three out of four enterprises have experienced a security incident related to their applications. And eight of the top ten data breaches of 2023 related to application attack surfaces.
Such application security breaches have far-reaching implications. The direct impact is service downtime, leading to loss of revenue and customer trust. The attackers could also take away the data connected with the applications. The top data breaches in 2023 exposed 1.7 billion-plus records in total. Intense media scrutiny and regulatory fines follow.
The reasons for such a high incidence of security breaches trace to the state of application security itself.
Developers Show Tendency to Cut Corners
Much of the application security concerns trace to the development phase. In a rush to get the application to market in today’s fast-paced world, developers cut corners, especially on testing.
They push the code to production without proper security checks or validations. Almost half of all application security teams do not perform a comprehensive security review. Likewise, most developers compromise on vulnerability assessments and penetration testing.
The reason for cutting corners is the high cost and time delays associated with such reviews and tests. A comprehensive security review takes between one and three days for most applications.
But inadequate testing and reviews leave vulnerabilities in the code that attackers exploit.
As a solution, most security teams now integrate automated tests into the development pipeline. Automated tests identify vulnerabilities early in the development cycle. Fixes become easier and more cost-effective. But automated testing has limitations in complex user interactions and frequent UI changes. As such, automated testing tools are, at best, an aid to make the work of human testers easy and not an auto-pilot alternative.
The Risks from External Libraries and Plug-Ins are on the Rise
Most applications use external libraries and third-party plug-ins to enhance functionality. A typical application uses 47 third-party scripts and connects to 50 third parties.
Google applications, for instance, use Tag Manager, analytics, ads, translate, reCAPTCHA, and YouTube. Meta uses Facebook Pixel and Instagram. WordPress uses Web Analytics and several hosted plug-ins. SaaS providers have thousands of subdomains that use third-party scripts.
These third parties connect and send data to their “home.” Consider Google Analytics as an example. Whenever a user performs an action, the Google Analytics script submits data to Google servers.
Such plug-ins and connections, while improving functionality, also pose security risks. The third-party software dependencies load to the end-user browser. The enterprise user has no direct control over the security measures of these third-party plug-ins. If these plug-ins contain vulnerabilities, the attackers may exploit them. They can easily redirect traffic to rogue “home servers” and steal data.
For instance, 18% of data breaches in the retail sector originate from Magecart-style attacks. Here, attackers inject malicious code into online shopping carts to steal credit card information.
The effective solution against such risks is complete visibility and control. The onus is on enterprise network security to:
- Maintain a detailed inventory of all plug-ins, including their source, version, and criticality. Assess the risk associated with each plug-in based on functionality, data access, and vendor reputation.
- Retain only indispensable plug-ins and do away with the rest.
- Never allow any plug-in with a history of vulnerability, no matter how critical the functionality it provides.
Software Applications from Third Party Vendors Pose Significant Risks
Enterprises relying on software from external providers face additional risks.
The SolarWinds attack of late 2020 illustrates the dangers of third-party applications. First, the attackers infiltrated the SolarWinds Orion software supply chain. Next, they inserted malicious code into a widely downloaded software update. These exploits gave them access to the networks of many government agencies and private companies. The attack compromised sensitive data and disrupted operations on a massive scale.
The MOVEit security incident of 2023 was another high-profile attack of a similar nature. The attackers exploited a critical vulnerability in the MOVEit file transfer software. They gained access to numerous enterprise systems and stole sensitive data.
Following these high-profile attacks, the integrity of software supply chains has come into focus. Risk management of third-party vendor software has become integral to application security.
Over half of all enterprises now implement third-party risk management (TPRM) practices.
These TRPM practices include:
- A clear-cut definition of security requirements in vendor contracts.
- Review of vendors’ software bill of materials (SBOM). A comprehensive SBOM review reveals the components and dependencies within the software. Such insights enable better risk identification from the perspective of the enterprise networks.
- Scrutiny of vendor application development processes and practices. Many enterprises now monitor how the vendors build and test the software. They also audit the vendors’ compliance with security standards like ISO 27001 or SOC2.
Legacy AppSec Tools Have Become Obsolete
The time-tested principle of network security is that you cannot protect what you cannot see.
The ever-growing number of cloud applications and associated data give rise to visibility issues. 57% of enterprises do not have complete visibility into their applications and APIs. Lack of visibility into application behaviour hinders threat detection and response. Security teams cannot understand what is at risk, set alerts, or prioritise remediation.
Most enterprises still rely on legacy security tools. They use log-based SIEM and XDR solutions. These tools can no longer keep up with today’s complex cloud-native architectures. The AI-driven threat landscape makes matters worse.
The proliferation of security tools does not help either. Nine out of 10 enterprises use a minimum of three tools to detect and prioritise application vulnerabilities and threats. But despite these tools, they do not have complete visibility over their networks. They do a bad job of prioritising application vulnerabilities and threats as well.
Protecting applications and data from advanced cyber threats depends on a unified approach. A security platform that drives DevSecOps automation and harnesses AI becomes the need of the hour.
One solution that fits the bill is Dynatrace.
Many security platforms co-opt protection for cloud-native applications as add-ons. The Dynatrace application security platform comes optimised for cloud-native applications. It unifies observability and security data to remove blind spots and improve the risk posture. The platform uses AI for security intelligence and runtime context and prioritises the most potent risks. The runtime vulnerability analysis capabilities make threat detection and remediation 95% faster.