When it comes to keeping enterprise systems and data secure, application security takes top billing. No matter how tight and snug an enterprise keeps security controls, an attacker need only exploit a vulnerability in an app to slither on in and grab a foothold. This is why application security and configuration management form such an important baseline to avoid attacks.
Good application security, in addition to secure software development practices, requires good collaboration among security and operations teams. But a recent survey of IT and security professionals, conducted by the security firm Prevoty, found some sizable disconnects. Here are the top three:
Immediacy of Updates
Half of IT professionals update applications once a month, whereas half of security professionals feel they need to update applications at least once per day, if not multiple times a day.
Time-Consuming Updates of Security Toolsets
Security professionals spend the majority of their time tuning existing applications security technology, while IT professionals spend almost half of their time updating existing applications security technology.
Ninety-three percent of security professionals report having up to 5,000 vulnerabilities in their backlogs, and 44 percent of IT professionals report that they have NO vulnerability backlogs.
When I see results like this, the first thing I think is there’s a breakdown in communication somewhere. Attacks against Web applications remain common, yet the proper attention needed to ensure they’re reasonably secure doesn’t seem to be there. And if IT teams are updating apps as little as once a month — and nearly half of them think they don’t have any vulnerability patching backlogs – something is awry. Either they aren’t taking security seriously, or they’re just not aware how risky a poorly configured and unpatched application can be.
Another issue here is how difficult security applications are to manage. If security teams are spending the vast majority of their time tuning apps, they certainly don’t have enough time to focus on more strategic efforts.
These types of organizational disconnects are precisely what efforts such as DevOps are supposed to help alleviate. Perhaps that’s the way forward out of this worrisome situation.