Organizations across virtually all sectors have embarked on large-scale digital transformation projects. More than 40 percent of chief executive officers worldwide are spearheading such efforts, according to the analysts at Gartner. Of course, most businesses have had enterprise hardware and software in place for some time, most notably, mobile devices and the applications that drive them.
Bring-your-own-device policies are now standard, meaning most modern employees enter the workplace with smartphones and tablets that hold personal and company data, much of which they access through commercial and enterprise applications. These mobile tools can catalyze operational transformation, especially those developed in-house or with the help external partners for internal use. However, mobile applications also create risk due to the simple fact that they function within a particularly fraught digital environment.
Hackers in 2017 orchestrated almost 1,600 data breaches and purloined more than 178 million sensitive files, according to research from the Identity Theft Resource Center. This year, these nefarious coders have managed to execute approximately 228 attacks and steal 4 million pieces of data. These figures will certainly grow as 2018 continues and strung-out information siphoning operations come to a close. Sadly, cybercriminals are able to pull off these digital strikes due, in part, the ever-increasing rates of mobile application usage within the enterprise space.
These portals are prime targets for hackers who wish to steal personal information or company insights and conceal their activity behind legitimate or seemingly real application code. In 2016, analysts from the Ponemon Institute connected with almost 600 information technology professionals working for companies across the globe and asked them to quantify the impact of mobile applications on enterprise data security. Approximately 67 percent of respondents said their respective firms had experienced at least one major breach linked to devices with compromised applications. In short, these useful enterprise tools can be quickly transformed into ticking time bombs.
With this stark reality in mind, businesses must carefully address application security and ensure that the mobile portals that live on employee smartphones can keep both personal and work-related data out of the hands of hackers. Here are some tried-and-true strategies that have proven effective for enterprises across numerous sectors:
Define baseline standards
Before taking demonstrable steps to improve application security, IT teams and their external partners must develop a set of baseline standards for applications used in the enterprise, ComputerWeekly reported. Most experts base these measures on three key themes: confidentiality, integrity and availability. In the case of data security, the first two items are immensely important. Strong applications conceal private user data and feature strong architecture designed to withstand modern digital threats. However, simply documenting these policies is not enough. IT stakeholders must create parallel, actionable workflows for implementing them in internal and external application roll outs due to the fact that developers sometimes opt to skip best practices in an effort to speed through production.
Create threat models
While setting up in-house and outside application development and deployment partners for success via strong standards is ideal, organizations must also prepare for the worst-case scenarios: a data breach. How? Threat modeling is the accepted approach for forecasting online attacks and instances of data loss, according to the International Data Group. This involves assessing every application and working with industry experts to understand what specific threats each tool faces. For example, researchers at Kaspersky Lab recently discovered a special form of malware designed to infiltrate the messaging application Telegram, Reuters reported. The program allows external actors to collect user messages and other content shared on the platform. An enterprise using Telegram might develop a threat model based on this special worm and figure out customized mitigation processes and tools.
According to Dark Reading, IT teams must address four key variables when developing threat models:
- Who: What is the identity of the external or internal entity attempting to infiltrate the enterprise application?
- What: What was the overarching goal of the attack?
- How: What attack vectors were used?
- Why: For what reason did the entity target the business in question?
With these factors in mind, organizations can develop realistic threat models and cultivate insights that can be used to inform effective data security protections.
"Almost 60% of DevSecOps govern open source software usage via formal governance policies, which offer guidelines for integrating external components into enterprise applications."
With data security threats growing in number and intensity, many businesses have turned to an innovative application development methodology called DevSecOps. This modus operandi centers on cross-functional IT teams that include development, data protection and operations personnel who collaborate to create in-house applications crafted security in mind. Mature DevSecOps teams accomplish this by integrating automated security testing into the development process. More than 40 percent conduct such tests during the actual coding stage, while 60 percent do so during initial quality assurance testing, according to research from Sonatype. An estimated 42 percent of long-standing modern DevSecOps professionals leverage automated data security testing during all phases of the application development process, from design to production. With the insights from these scans in hand, these cross-functional teams can tweak internal products and ensure they are constructed to withstand the current digital threat environment.
In addition to conducting regular security scans, DevSecOps teams evaluate the components used in enterprise applications. For most, this involves researching open-source elements, which constitute 80 percent of the average application, analysts for Sonatype found. Of course, these reviews are normally systematized. Almost 60 percent of DevSecOps govern open source software usage via formal governance policies, which offer guidelines for integrating external components into enterprise applications.
In addition to addressing data security during the development process, DevSecOps groups implement post-production protections designed to defend live software. According to Sonatype, an estimated 58 percent of these teams rely on web application firewalls, which defend mission-critical online tools from zero-day exploits, cross-site scripting attacks and SQL injection strikes.
While the DevSecOps strategy certainly seems effective on the surface, it is worth exploring the real-world effectiveness of the approach. Do organizations that invest in such resources see returns in the form of secure enterprise applications capable of catalyzing growth? Early reports suggest that the methodology is indeed effective as it puts application front and center, according to IDG. That said, firms must choose wisely when it comes to selecting application testing tools and personnel, the two essential variables on which DevSecOps success depends.
Craft detailed employee training programs
End users constitute the first line of defense against digital threats. Savvy employees with system access can easily identify malware-infected email or Trojan applications – i.e., nefarious programs masquerading as seemingly legitimate web tools – and prevent data breaches from unfolding. Unfortunately, the vast majority of modern workers do not have the expertise required to execute these defensive actions. According to researchers at Media Pro, more than 72 percent of employees are considered data security novices, meaning they possess some knowledge but are not adept enough to properly defend themselves when navigating online enterprise portals.
Additionally, 16 percent fall under the risk category, meaning they regularly partake in questionable behaviors that open the door to hackers looking to invade company server by way of enterprise applications. A mere 12 percent of employees are "heroes," or individuals with enough data security knowledge and awareness to mitigate the risks that come with using online tools.
Organizations that want to maintain optimal application security need to transform their end users into heroes using exhaustive data security awareness programs. These instructional modules give learners the insight they need to responsibly navigate enterprise applications of all kinds, from standard email clients to sophisticated enterprise resource planning software. Unfortunately, many businesses fail to provide this instruction, leaving employees to fend for themselves. Many of the firms that do offer data security awareness training leverage outmoded teaching modules that fail to engage workers. With this in mind, innovators in the space have rolled out new methods, including simulated exercises and gameified experiences, IDG reported.
"An estimated 88% of Java applications contain at least one zero-day vulnerability."
When it comes to actual training subject matter, there are endless options. According to the SANS Institute, several key topics normally find their way into data security awareness instruction:
- Physical security: Users must know how to protect their devices from theft in all situations.
- Wireless network security: Hackers often leverage public Wi-Fi to infiltrate devices and the enterprise applications on them. Employees should know the risks that accompany connecting to public wireless internet signals.
- Password security: More than 80 percent of hacking-related data breaches involve stolen or weak credentials, according to the researchers at Verizon Wireless. End users must know how to draft effective passwords and store these critical pieces of information.
- Email security: Cybercriminals regularly tunnel their way into corporate servers and enterprise applications via malware hidden in phishing emails. Workers need to know how to spot suspicious email communications that could harbor digital threats capable of compromising mission-critical web tools.
Companies that develop and deploy data security awareness programs that address these topics through engaging instructional content are likely to improve application security.
Abandon antiquated application construction methods
Perhaps the most effective method for facilitating optimal application security is simply reconsidering entrenched development tools and components that are incompatible with the modern online environment. The famed coding language Java is among these fading relics. While still the most popular language in use today, Java is quickly losing steam as new digital dialects enter the mainstream, IDG reported. Additionally, many Java users in the enterprise space have found applications coded in the language difficult to protect, especially in today's threat climate. Why?
Most Java applications are centered on open-source components crafted by multiple parties. While open-source coding facilitates creativity, it also makes patching difficult, which is why an estimated 88 percent of Java applications contain at least one zero-day vulnerability, according to researchers at Veracode. Hackers can easily take advantage of these architectural flaws and find their way into key enterprise applications. Last year, cybercriminals were able to execute multiple strikes leveraging a vulnerability within the Apache Struts 2 framework, a Java-based component used for application development. In fact, hackers used this flaw to orchestrate perhaps the biggest date breach in history, Wired reported. In September 2017, external actors managed to enter the servers of the credit giant Equifax and steal private information for more than 143 million Americans, all because internal IT failed to patch Apache Struts 2.
Businesses focused on application security can avoid this kind of catastrophe by swapping outdated languages like Java for modern alternatives that can stand up to modern digital threats and are easier to manage, reducing the likelihood of zero-day vulnerabilities.