Application security needs to be shored up now

24.08.2015
Application security has come a long way. Now it’s mainstream and is being reported in media like The Wall Street Journal and CNN. The last few years has seen myriad application-related meltdowns from Stuxnet, Duqu 1 and 2 and more. The recent July 8 meltdowns of United Airlines, WSJ and NYSE attest to the fact that application security is a major concern, irrespective how often it is ignored.

Brick and mortar financial institutions are the targets of choice for attackers since that’s where the money is. It’s no different in the cyber world as hackers have been targeting payment applications because that’s where the money is. Today, Target, Home Depot, Neiman Marcus, OPM, Anthem Healthcare and more are among the victims.

Breach incidents involving payment processing systems have skyrocketed, due in part because vulnerabilities and related attack surfaces are still not being eliminated from applications. Point-of-Sale (POS) system-targeting malware continues to evolve in sophistication and complexity to include stealth attachment to application processes, self-morphing profiles to evade detection, cardholder data (CHD) related RAM scraping intelligence to harvest Primary Account Numbers and other sensitive data from victimized system memory.

Application security is at the core of information security, primarily due to the fact that most data breaches and compromises result from security related vulnerabilities contained within applications. Firms have spent much of the last decade securing their network environments with fancy information security hardware and software such as WAF, UTM, IDS/IPS and things with a lot of acronyms. In the meantime, a myriad of high profile data breaches have occurred with application security vulnerability as the primary root cause of compromise. These application deficiencies were exploited which led to critical data theft.

Within a week in June 2015 alone, there were announcements about major security flaws with Apple applications, Samsung Galaxy phones and Duqu 2. The application security wake-up calls happened some years ago. These flaws should be a reminder that application security is not something to be taken lightly, especially when considering the veritable explosion of new applications available for mobile devices.

Like regular physical exercise, everyone agrees that application security is of paramount importance. The challenge is getting motivated to both hit the treadmill, and to ensure secure code is being written and delivered into production applications.

So if application security is so undeniably important, why isn’t everyone on the application security bandwagon The reality is that there is a lot that can get in the way of application security, and some of the most significant issues are:

In part 2, we’ll get into the details of PCI and application security, and detail the compliance domains relevant to PCI and application security.

Ben Rothke CISSP PCI QSA is a Senior eGRC Consultant with Nettitude, Inc. and the author of Computer Security: 20 Things Every Employee Should Know.

David Mundhenk, CISSP, PCIP, QSA (P2PE), PA-QSA (P2PE) is a Senior Consultant for the Application Validation team at Coalfire Labs.

(www.csoonline.com)

Ben Rothke