Monthly Archives: September 2016

It's 10 p.m.: Do you know where are your apps are?

Larry Ponemon

Larry Ponemon

Ponemon Institute is pleased to present the results of Application Security in the Changing Risk
Landscape sponsored by F5. The purpose of this study is to understand how today’s security
risks are affecting application security. We surveyed 605 IT and IT security practitioners in the
United States who are involved in their organization’s application security activities.

The majority of respondents (57 percent) say it is the lack of visibility in the
application layer that is preventing a strong application security. In fact, 63 percent of respondents say attacks at the application
layer are harder to detect than at the network layer and 67 percent of
respondents say these attacks are more difficult to contain than at the network
layer.

Following are key takeaways from this research.

Lack of visibility in the application layer is the main barrier to achieving a
strong application security posture. Other significant barriers are created by
migration to the cloud (47 percent of respondents), lack of skilled or expert
personnel (45 percent of respondents) and proliferation of mobile devices (43 percent of
respondents).

The frequency and severity of attacks on the application layer is considered greater than
at the network layer. Fifty percent of respondents (29 percent + 21 percent) say the application is attacked more and 58 percent of respondents (33 percent + 21 percent) say attacks are more severe than at the network layer. In the past 12 months, the most common security incidents due to insecure applications were: SQL injections (29 percent), DDoS (25 percent) and Web fraud (21 percent).

Network security is better funded than application security. On average, 18 percent of the IT security budget is dedicated to application security. More than double that amount (an average of 39 percent) is allocated to network security. As a consequence, only 35 percent of respondents say their organizations have ample resources to detect vulnerabilities in applications, and 30 percent of respondents say they have enough resources to remediate vulnerabilities in applications.

Accountability for the security of applications is in a state of flux. Fifty-six percent of
respondents believe accountability for application security is shifting from IT to the end user or
application owner. However, at this time responsibility for ensuring the security of applications is dispersed throughout the organization. While 21 percent of respondents say the CIO or CTO is accountable, another 20 percent of respondents say no one person or department is responsible.

Twenty percent of respondents say business units are accountable and 19 percent of
respondents say the head of application development is accountable.

Shadow IT affects the security of applications. Respondents estimate that on average their
organizations have 1,175 applications and an average of 33 percent are considered mission
critical. Sixty-six percent of respondents are only somewhat confident (23 percent) or have no
confidence (43 percent) they know all the applications in their organizations. Accordingly, 68
percent of respondents (34 percent + 34 percent) say their IT function does not have visibility into all the applications deployed in their organizations and 65 percent of respondents (32 percent + 33 percent) agree that Shadow IT is a problem.

Mobile and business applications in the cloud are proliferating. An average of 31 percent of
business applications are mobile apps and this will increase to 38 percent in the next 12 months. Today, 37 percent of business applications are in the cloud and this will increase to an average of 46 percent.

The growth in mobile and cloud-based applications is seen as significantly affecting
application security risk. Sixty percent of respondents say mobile apps increase risk (25
percent) or increase risk significantly (35 percent). Fifty-one percent of respondents say cloud based applications increase risk (25 percent) or increase risk significantly (26 percent).
Hiring and retaining skilled and qualified application developers will improve an
organization’s security posture. Sixty-nine percent of respondents believe the shortage of
skilled and qualified application developers puts their applications at risk. Moreover, 67 percent of respondents say the “rush to release” causes application developers in their organization to
neglect secure coding procedures and processes.

Cyber security threats will weaken application security programs, but new IT security and
privacy compliance requirements will strengthen these programs. Eighty-eight percent of
respondents are concerned that new and emerging cyber security threats will affect the security
of applications. In contrast, 54 percent of respondents say new and emerging IT security and
privacy compliance requirements will help their security programs. According to respondents,
there are more trends expected to weaken application security than will strengthen security.
The responsibility for securing applications will move closer to the application developer.

Sixty percent of respondents anticipate the applications developer will assume more responsibility for the security of applications. Testing for vulnerabilities should take place in the design and development phase of the system development life cycle (SDLC). Today, most applications are tested in the launch or post-launch phase (61 percent). In the future, the goal is to perform more testing in the design and development phase (63 percent).

Do secure coding practices affect the application delivery cycle? Fifty percent of
respondents say secure coding practices, such as penetration testing, slow down the application delivery cycle within their organizations significantly (12 percent of respondents) or some slowdown (38 percent of respondents). However, 44 percent of respondents say there is no slowdown.

How secure coding practices will change. The secure coding practices most often performed
today are: run applications in a safe environment (67 percent of respondents), use automated
scanning tools to test applications for vulnerabilities (49 percent of respondents) and perform
penetration testing procedures (47 percent of respondents). In the next 24 months, the following practices will most likely be performed: run applications in a safe environment (80 percent of respondents), monitor the runtime behavior of applications to determine if tampering has occurred (65 percent

It’s 10 p.m.: Do you know where are your apps are?

Larry Ponemon

Larry Ponemon

Ponemon Institute is pleased to present the results of Application Security in the Changing Risk
Landscape sponsored by F5. The purpose of this study is to understand how today’s security
risks are affecting application security. We surveyed 605 IT and IT security practitioners in the
United States who are involved in their organization’s application security activities.

The majority of respondents (57 percent) say it is the lack of visibility in the
application layer that is preventing a strong application security. In fact, 63 percent of respondents say attacks at the application
layer are harder to detect than at the network layer and 67 percent of
respondents say these attacks are more difficult to contain than at the network
layer.

Following are key takeaways from this research.

Lack of visibility in the application layer is the main barrier to achieving a
strong application security posture. Other significant barriers are created by
migration to the cloud (47 percent of respondents), lack of skilled or expert
personnel (45 percent of respondents) and proliferation of mobile devices (43 percent of
respondents).

The frequency and severity of attacks on the application layer is considered greater than
at the network layer. Fifty percent of respondents (29 percent + 21 percent) say the application is attacked more and 58 percent of respondents (33 percent + 21 percent) say attacks are more severe than at the network layer. In the past 12 months, the most common security incidents due to insecure applications were: SQL injections (29 percent), DDoS (25 percent) and Web fraud (21 percent).

Network security is better funded than application security. On average, 18 percent of the IT security budget is dedicated to application security. More than double that amount (an average of 39 percent) is allocated to network security. As a consequence, only 35 percent of respondents say their organizations have ample resources to detect vulnerabilities in applications, and 30 percent of respondents say they have enough resources to remediate vulnerabilities in applications.

Accountability for the security of applications is in a state of flux. Fifty-six percent of
respondents believe accountability for application security is shifting from IT to the end user or
application owner. However, at this time responsibility for ensuring the security of applications is dispersed throughout the organization. While 21 percent of respondents say the CIO or CTO is accountable, another 20 percent of respondents say no one person or department is responsible.

Twenty percent of respondents say business units are accountable and 19 percent of
respondents say the head of application development is accountable.

Shadow IT affects the security of applications. Respondents estimate that on average their
organizations have 1,175 applications and an average of 33 percent are considered mission
critical. Sixty-six percent of respondents are only somewhat confident (23 percent) or have no
confidence (43 percent) they know all the applications in their organizations. Accordingly, 68
percent of respondents (34 percent + 34 percent) say their IT function does not have visibility into all the applications deployed in their organizations and 65 percent of respondents (32 percent + 33 percent) agree that Shadow IT is a problem.

Mobile and business applications in the cloud are proliferating. An average of 31 percent of
business applications are mobile apps and this will increase to 38 percent in the next 12 months. Today, 37 percent of business applications are in the cloud and this will increase to an average of 46 percent.

The growth in mobile and cloud-based applications is seen as significantly affecting
application security risk. Sixty percent of respondents say mobile apps increase risk (25
percent) or increase risk significantly (35 percent). Fifty-one percent of respondents say cloud based applications increase risk (25 percent) or increase risk significantly (26 percent).
Hiring and retaining skilled and qualified application developers will improve an
organization’s security posture. Sixty-nine percent of respondents believe the shortage of
skilled and qualified application developers puts their applications at risk. Moreover, 67 percent of respondents say the “rush to release” causes application developers in their organization to
neglect secure coding procedures and processes.

Cyber security threats will weaken application security programs, but new IT security and
privacy compliance requirements will strengthen these programs. Eighty-eight percent of
respondents are concerned that new and emerging cyber security threats will affect the security
of applications. In contrast, 54 percent of respondents say new and emerging IT security and
privacy compliance requirements will help their security programs. According to respondents,
there are more trends expected to weaken application security than will strengthen security.
The responsibility for securing applications will move closer to the application developer.

Sixty percent of respondents anticipate the applications developer will assume more responsibility for the security of applications. Testing for vulnerabilities should take place in the design and development phase of the system development life cycle (SDLC). Today, most applications are tested in the launch or post-launch phase (61 percent). In the future, the goal is to perform more testing in the design and development phase (63 percent).

Do secure coding practices affect the application delivery cycle? Fifty percent of
respondents say secure coding practices, such as penetration testing, slow down the application delivery cycle within their organizations significantly (12 percent of respondents) or some slowdown (38 percent of respondents). However, 44 percent of respondents say there is no slowdown.

How secure coding practices will change. The secure coding practices most often performed
today are: run applications in a safe environment (67 percent of respondents), use automated
scanning tools to test applications for vulnerabilities (49 percent of respondents) and perform
penetration testing procedures (47 percent of respondents). In the next 24 months, the following practices will most likely be performed: run applications in a safe environment (80 percent of respondents), monitor the runtime behavior of applications to determine if tampering has occurred (65 percent

Submarine builder declares 'economic warfare' as plans for ship said to be hacked; now what?

Bob Sullivan

Bob Sullivan

Get used to another term in world of computer hacking: “economic warfare.”

A French firm building multi-billion-dollar submarines for Australia and several other nations says it was the victim of economic warfare after some of its schematics for similar subs being built for India were released online, allegedly by hackers.   The data was published by Australian media

The firm, DCNS, is currently bidding for military contracts in Poland and Norway. For the India gig, it had beaten out German and Japanese firms.

An embarrassing data leak would obviously hurt the French firm’s bid for more deals — in addition to perhaps imperiling the security of its current projects.

“DCNS has been made aware of articles published in the Australian press related to the leakage of sensitive data about Indian Scorpene,” the firm said on its website. “This serious matter is thoroughly investigated by the proper French national authorities for Defense Security. This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.”

Right now, there’s only speculation about how much the allegedly stolen data might impact the security of the ships when they arrive in India — and the security of similar DCNS ships in Malaysia and Chile.

But DCNS immediately suggested that rivals might be to blame for the leak.

“Competition is getting tougher and tougher, and all means can be used in this context,” a company spokesperson said to Reuters. “There is India, Australia and other prospects, and other countries could raise legitimate questions over DCNS. It’s part of the tools in economic warfare.”

It’s clearly too early to know, however, if simple corporate espionage is to blame — or there might be some military advantage to be gained from publication of the documents.  Given that the alleged hackers send the data to a media outlet, it’s also possible their motivation was political.

The incident does highlight the asymmetrical nature of digital “warfare,” however.  A billion-dollar project involving thousands of employees can be derailed by a single person with a digital file and a the e-mail address of a journalist.

“If this was economic warfare as speculated, we can expect more attacks like this on a global scale,” said Scott Gordon, COO at file security firm FinalCode. “Hacktivists are motivated by reputational, economic and political gains from capitalizing on businesses’ and countries’ inability to secure sensitive, critical documents— tipping the scale in favor of other contenders in future military action and contracting situations.”

It also shows how hard it is to keep data under wraps when multiple third-party contractors have to share information in large projects.

“Sharing files, such as the 22,000-plus pages of blueprints and technical details on DCNS’s Scorpene submarines, is a necessary collaboration between government, contractor and manufacturing entities,” Gordon said. “But the exposure of these Indian naval secrets illustrates how lax file protection has opened a door to new data loss risks—and how even confidential military information can be exfiltrated and exposed by a weak link in the supply chain.”

Submarine builder declares ‘economic warfare’ as plans for ship said to be hacked; now what?

Bob Sullivan

Bob Sullivan

Get used to another term in world of computer hacking: “economic warfare.”

A French firm building multi-billion-dollar submarines for Australia and several other nations says it was the victim of economic warfare after some of its schematics for similar subs being built for India were released online, allegedly by hackers.   The data was published by Australian media

The firm, DCNS, is currently bidding for military contracts in Poland and Norway. For the India gig, it had beaten out German and Japanese firms.

An embarrassing data leak would obviously hurt the French firm’s bid for more deals — in addition to perhaps imperiling the security of its current projects.

“DCNS has been made aware of articles published in the Australian press related to the leakage of sensitive data about Indian Scorpene,” the firm said on its website. “This serious matter is thoroughly investigated by the proper French national authorities for Defense Security. This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.”

Right now, there’s only speculation about how much the allegedly stolen data might impact the security of the ships when they arrive in India — and the security of similar DCNS ships in Malaysia and Chile.

But DCNS immediately suggested that rivals might be to blame for the leak.

“Competition is getting tougher and tougher, and all means can be used in this context,” a company spokesperson said to Reuters. “There is India, Australia and other prospects, and other countries could raise legitimate questions over DCNS. It’s part of the tools in economic warfare.”

It’s clearly too early to know, however, if simple corporate espionage is to blame — or there might be some military advantage to be gained from publication of the documents.  Given that the alleged hackers send the data to a media outlet, it’s also possible their motivation was political.

The incident does highlight the asymmetrical nature of digital “warfare,” however.  A billion-dollar project involving thousands of employees can be derailed by a single person with a digital file and a the e-mail address of a journalist.

“If this was economic warfare as speculated, we can expect more attacks like this on a global scale,” said Scott Gordon, COO at file security firm FinalCode. “Hacktivists are motivated by reputational, economic and political gains from capitalizing on businesses’ and countries’ inability to secure sensitive, critical documents— tipping the scale in favor of other contenders in future military action and contracting situations.”

It also shows how hard it is to keep data under wraps when multiple third-party contractors have to share information in large projects.

“Sharing files, such as the 22,000-plus pages of blueprints and technical details on DCNS’s Scorpene submarines, is a necessary collaboration between government, contractor and manufacturing entities,” Gordon said. “But the exposure of these Indian naval secrets illustrates how lax file protection has opened a door to new data loss risks—and how even confidential military information can be exfiltrated and exposed by a weak link in the supply chain.”